Open source package with 1 million monthly downloads stole user credentials
If you're one of millions using element-data, it's time to check for compromise.
Signal weather
Stable
The story has moved beyond the first headline and now acts as a reliable context anchor.
Open source software with more than 1 million monthly downloads was compromised after a threat actor exploited a vulnerability in the developers’ account workflow that gave access to its signing keys and other sensitive information. On Friday, unknown attackers exploited the vulnerability to push a new version of element-data, a command-line interface that helps users monitor performance and anomalies in machine-learning systems. When run, the malicious package scoured systems for sensitive data, including user profiles, warehouse credentials, cloud provider keys, API tokens, and SSH keys, developers said. The malicious version was tagged as 0.23.3 and was published to the developers’ Python Package Index and Docker image accounts. It was removed about 12 hours later, on Saturday. Elementary Cloud, the Elementary dbt package, and all other CLI versions weren't affected. Assume compromise “Users who installed 0.23.3, or who pulled and ran the affected Docker image, should assume that any credentials accessible to the environment where it ran may have been exposed,” the developers wrote. Read full article Comments
Stay on the signal
Follow Open source package with 1 million monthly downloads stole user credentials
Follow this story beyond a single article: new follow-ups, adjacent sources, and the evolving storyline.
Story map
Understand this topic fast
A quick entry into the story: why it matters now, who is involved, and where to go next for context.
Why it matters now
Topic constellation
Open the live map for this story
See which entities, story threads, sources, and follow-up articles shape this story right now.
Click nodes to continue
Entity pages
Story threads
Story timeline
Continue with this story
A short sequence of events and follow-up stories to understand the arc quickly.
How reliable this looks
Signal and trust for Ars Technica
This source works at a rapid pace: 100% of recent stories land in the hot window, and 0% carry visible search signal.
Reliability
92
Freshness
100
Sources in storyline
2
Related articles
More stories that share tags, source, or category context.
After Senate vote, Trump admin backs off plans to kill ocean monitoring
It's unclear whether the system is currently intact.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
Before SpaceX IPO, investors in China secretly acquired stakes
One previously unreported SpaceX investor has ties to Chinese military contractors.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
Bernie Sanders unveils $7 trillion plan to give Americans control of AI industry
Biggest AI firms will likely recoil at Bernie Sanders' AI wealth fund.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
General Intuition in talks to raise $300M at around $2B valuation
The startup trains embodied AI and world models using Medal’s dataset of 2 billion videos per year from 10 million monthly active users.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
More from Ars Technica
Fresh reporting and follow-up coverage from the same newsroom.
After Senate vote, Trump admin backs off plans to kill ocean monitoring
It's unclear whether the system is currently intact.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
Before SpaceX IPO, investors in China secretly acquired stakes
One previously unreported SpaceX investor has ties to Chinese military contractors.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
Bernie Sanders unveils $7 trillion plan to give Americans control of AI industry
Biggest AI firms will likely recoil at Bernie Sanders' AI wealth fund.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.
Hunter-gatherers in Siberia died of a plague outbreak 5,500 years ago
We can't blame the Neolithic Transition for the plague anymore.
Signal weather
Momentum is building quickly, so this card is a good early entry point into the topic.
Why now
Fresh coverage with immediate momentum.