Open source package with 1M monthly downloads stole user credentials
8 hours ago
- #Security Breach
- #GitHub Vulnerability
- #Open Source Compromise
- Open source software element-data, with over 1 million monthly downloads, was compromised after an attacker exploited a vulnerability in the developer's account workflow to access signing keys and sensitive data.
- The malicious version 0.23.3, published on Friday, scoured systems for sensitive information like user profiles, credentials, and SSH keys before being removed 12 hours later on Saturday; only that specific version was affected.
- Users of version 0.23.3 or the affected Docker image should assume potential exposure of all accessible credentials in the environment where it ran.
- The attacker gained access via a GitHub action vulnerability by posting malicious code to a pull request, executing a bash script to retrieve data, and using account tokens and signing keys to publish a nearly indistinguishable malicious package.
- The compromise was reported by a third party, leading to package removal within three hours, credential rotation, vulnerability fixes, and an audit of other GitHub actions to prevent similar flaws.