A critical security incident has been uncovered involving an open source software package with more than 1 million monthly downloads. Threat actors exploited a vulnerability in the developers’ account workflow to gain access to signing keys and other sensitive information.
On Friday, unknown attackers leveraged this vulnerability to push a malicious version of element-data, a command-line interface (CLI) tool designed to monitor performance and anomalies in machine-learning systems.
When executed, the compromised package, tagged as 0.23.3, scanned systems for sensitive data, including:
- User profiles
- Warehouse credentials
- Cloud provider keys
- API tokens
- SSH keys
The malicious version was published to the developers’ Python Package Index and Docker image accounts. It was removed approximately 12 hours later, on Saturday. Notably, Elementary Cloud, the Elementary dbt package, and all other CLI versions remained unaffected.
Immediate Action Required for Users
“Users who installed 0.23.3, or who pulled and ran the affected Docker image, should assume that any credentials accessible to the environment where it ran may have been exposed,” the developers warned.
Related articles
Fired IT Workers Accidentally Record Own Database Sabotage via Active Teams Call
Perhaps you remember Muneeb and Sohaib Akhter, the 34-year-old twin brothers we profiled earlier this week. Although they had the tech chops to commit...
Colorado's Age-Gating Bill Sparks Backlash from Linux Developers Over Privacy Concerns
In January, Colorado lawmakers introduced a proposal to make operating systems collect users' ages and pass them to app developers. The bill, SB26-051...
Windows 11 BitLocker Bypassed by Zero-Day Exploit 'YellowKey' in Seconds
A zero-day exploit circulating online allows people with physical access to a Windows 11 system to bypass default BitLocker protections and gain compl...
Esports World Cup Relocates from Riyadh to Paris Amid Middle East Uncertainty
Uncertainty in the Middle East is apparently forcing the location change.
OpenAI Confirms No User Data Accessed in ChatGPT Mac App Security Breach
OpenAI found no evidence that user data was accessed.
Google to Limit New Accounts to 5GB Free Storage Without Phone Verification
Previously, you got 15GB whether you added a number or not.
Windows Update to Automatically Roll Back Faulty Drivers Soon
The company is also trying to prevent driver problems before they happen with a new initiative.
Windows 11 Update to Automatically Roll Back Faulty Drivers via Cloud Recovery
Microsoft is on a mission to fix Windows 11, and part of that involves improving the often-frustrating Windows Update experience. While you'll soon be...