A widely used open-source package called element-data with over 1 million monthly downloads was compromised when attackers exploited a GitHub Actions vulnerability to steal signing keys and publish a malicious version. The malicious package (version 0.23.3) harvested sensitive user credentials including API tokens, SSH keys, and cloud provider credentials from affected systems. The package was available for approximately 12 hours before being removed, and users who installed it are advised to assume credential compromise.
Background
Open source software supply chain attacks have become increasingly common, with attackers targeting popular packages to distribute malware and steal sensitive data from developers and organizations.
- Source
- Ars Technica
- Published
- Apr 28, 2026 at 05:04 AM
- Score
- 8.0 / 10