Open source package with 1 million monthly downloads stole user credentials
If you're one of millions using element-data, it's time to check for compromise.
Signal weather
Rising
Momentum is building quickly, so this card is a good early entry point into the topic.
Open source software with more than 1 million monthly downloads was compromised after a threat actor exploited a vulnerability in the developers’ account workflow that gave access to its signing keys and other sensitive information. On Friday, unknown attackers exploited the vulnerability to push a new version of element-data, a command-line interface that helps users monitor performance and anomalies in machine-learning systems. When run, the malicious package scoured systems for sensitive data, including user profiles, warehouse credentials, cloud provider keys, API tokens, and SSH keys, developers said. The malicious version was tagged as 0.23.3 and was published to the developers’ Python Package Index and Docker image accounts. It was removed about 12 hours later, on Saturday. Elementary Cloud, the Elementary dbt package, and all other CLI versions weren't affected. Assume compromise “Users who installed 0.23.3, or who pulled and ran the affected Docker image, should assume that any credentials accessible to the environment where it ran may have been exposed,” the developers wrote. Read full article Comments
Stay on the signal
Follow Open source package with 1 million monthly downloads stole user credentials
Follow this story beyond a single article: new follow-ups, adjacent sources, and the evolving storyline.
Story map
Understand this topic fast
A quick entry into the story: why it matters now, who is involved, and where to go next for context.
Why it matters now
Topic constellation
Open the live map for this story
See which entities, story threads, sources, and follow-up articles shape this story right now.
Click nodes to continue
Entity pages
Story threads
Story timeline
Continue with this story
A short sequence of events and follow-up stories to understand the arc quickly.
How reliable this looks
Signal and trust for Ars Technica
This source works at a rapid pace: 100% of recent stories land in the hot window, and 0% carry visible search signal.
Reliability
92
Freshness
100
Sources in storyline
1
Related articles
More stories that share tags, source, or category context.
Put it in pencil: NASA's Artemis III mission will launch no earlier than late 2027
SpaceX and Blue Origin tell NASA their lunar landers will be ready for Artemis III in late 2027.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
Musk and Altman face off in trial that will determine OpenAI's future
Musk’s shifting stance on AI dangers may complicate trial over OpenAI’s mission.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
EU tells Google to open up AI on Android; Google says that's "unwarranted intervention"
Gemini gets preferential treatment on Android, but maybe not for long (in Europe).
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
With new patch design, the Crew-13 astronauts clearly aren't superstitious
Houston, we have another "13."
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
More from Ars Technica
Fresh reporting and follow-up coverage from the same newsroom.
Put it in pencil: NASA's Artemis III mission will launch no earlier than late 2027
SpaceX and Blue Origin tell NASA their lunar landers will be ready for Artemis III in late 2027.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
Musk and Altman face off in trial that will determine OpenAI's future
Musk’s shifting stance on AI dangers may complicate trial over OpenAI’s mission.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
OpenAI ends its exclusive partnership with Microsoft
Amended agreement clears the way for OpenAI models to run on Amazon Bedrock.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
EU tells Google to open up AI on Android; Google says that's "unwarranted intervention"
Gemini gets preferential treatment on Android, but maybe not for long (in Europe).
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.