An open-source package with over 1 million monthly downloads was compromised last week when unknown attackers exploited a vulnerability in the developers' account workflow, gaining access to signing keys and sensitive information.

The malicious update, dubbed element-data, scoured systems for user profiles, cloud credentials, API tokens and SSH keys. The package was swiftly removed but not before causing alarm among users who installed version 0.23.3 or pulled the affected Docker image.

The vulnerability stemmed from a GitHub action where attackers posted malicious code, which allowed them to access sensitive data. Developers only became aware of the breach through a third-party report within three hours and swiftly removed the package, rotating credentials and auditing their actions to prevent future incidents.

This incident highlights the importance of robust security practices in open-source development communities, as well as the need for vigilance among users who rely on such tools. It serves as a reminder that even trusted software can harbour risks if not properly secured.