Open source package with 1M monthly downloads stole user credentials
A popular open source package called element-data, with over 1 million monthly downloads, was compromised when attackers exploited a vulnerability in a GitHub action to steal signing keys and publish a malicious version, 0.23.3, which collected sensitive user data. The malicious package was removed within 12 hours, but users are urged to assume compromise if they installed the affected version. Developers have rotated credentials, patched the vulnerability, and advised users to update to version 0.23.4 and rotate exposed secrets. The incident highlights ongoing risks in open source supply chains, particularly from insecure CI/CD workflows.
Opening excerpt (first ~120 words) tap to expand
POISONING THE WELL Open source package with 1 million monthly downloads stole user credentials If you’re one of millions using element-data, it’s time to check for compromise. Dan Goodin – Apr 27, 2026 5:04 pm | 24 Text settings Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only Learn more Minimize to nav Open source software with more than 1 million monthly downloads was compromised after a threat actor exploited a vulnerability in the developers’ account workflow that gave access to its signing keys and other sensitive information. On Friday, unknown attackers exploited the vulnerability to push a new version of element-data, a command-line interface that helps users monitor performance and anomalies in machine-learning systems.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Ars Technica.
Discussion
0 commentsMore from Ars Technica
