Open source package with 1 million monthly downloads stole user credentials
Summary
An open source software package called element-data, used by many developers, was hacked by attackers who added a bad version that stole sensitive data like passwords and keys. The harmful version was quickly removed after about 12 hours, and users are advised to update to a safe version and change any exposed credentials.Key Facts
- Element-data is a command-line tool used to monitor machine-learning systems, downloaded over 1 million times per month.
- Attackers exploited a weakness in the developers' GitHub workflow to access signing keys and sensitive information.
- A malicious version (0.23.3) was published, which collected sensitive data, including user profiles, passwords, cloud keys, and API tokens.
- The bad version was removed about 12 hours after it was found, and a safe version (0.23.4) was released.
- Developers advise users who installed version 0.23.3 to uninstall it, install version 0.23.4, delete cache files, and check for a specific marker file showing if the malware ran on their machines.
- Users should also change any credentials that could have been accessed while the malicious version ran.
- The developers fixed the vulnerability in their GitHub workflow and audited other parts of their system to prevent similar attacks.
- Supply-chain attacks on open source software like this have increased in recent years, often starting with small weaknesses in developer tools.
Read the Full Article
This is a fact-based summary from The Actual News. Click below to read the complete story directly from the original source.