Popular open source package with 1M downloads hijacked to steal credentials
Original: Open source package with 1 million monthly downloads stole user credentials
Why This Matters
Highlights supply chain security risks in open source ecosystems with millions of users
The element-data package version 0.23.3 was compromised through GitHub action vulnerability, affecting users who installed it between Friday-Saturday. Attackers stole user profiles, cloud keys, API tokens, and SSH keys from affected systems.
Unknown attackers exploited a vulnerability in Elementary's GitHub action workflow to gain access to signing keys and publish malicious version 0.23.3 of element-data, a CLI tool for monitoring machine learning systems. The compromised package harvested sensitive data including warehouse credentials, cloud provider keys, API tokens, and SSH keys from infected systems. The malicious version was removed after 12 hours following a third-party report. Elementary urged affected users to immediately uninstall version 0.23.3, upgrade to 0.23.4, check for marker files at /tmp/.trinny-security-update, and rotate all accessible credentials. CI/CD runners face particular risk due to mounted secrets. The company has fixed the vulnerability and rotated all compromised credentials.