How a Popular Open Source Package Was Hijacked to Steal User Credentials

A widely used open source tool with over one million monthly downloads fell victim to a supply chain attack after attackers exploited a vulnerability in the developer's account workflow. The compromised package, element-data, was updated with malicious code that harvested sensitive credentials from users' systems before being caught and removed. This incident highlights the growing risks in open source dependencies and the need for robust security practices.

What exactly happened to the element-data package?

On Friday, unknown attackers leveraged a vulnerability in the developer's account management process to gain access to signing keys and other confidential information. They used this access to publish a malicious version of element-data (tagged as 0.23.3), a command-line interface designed to monitor machine learning performance and anomalies. When users ran this version, it silently scanned their systems for sensitive data, including user profiles, warehouse credentials, cloud provider keys, API tokens, and SSH keys. The malicious release was distributed via the developer's Python Package Index (PyPI) and Docker image accounts, affecting both CLI installations and Docker pulls.

How did attackers manage to compromise the developer's account?

The threat actor exploited a flaw in the developers' account workflow, which allowed them to bypass normal security controls. This vulnerability gave them access to signing keys and other sensitive information that typically verify the integrity and authenticity of software releases. By gaining control over these keys, the attackers could sign and publish a malicious update as if it were legitimate, tricking users into downloading compromised code. The exact nature of the workflow vulnerability has not been fully disclosed, but it underscores how even trusted open source projects can be hijacked through account-level weaknesses.

What type of data did the malicious version steal?

Once the compromised version was executed, it performed a thorough sweep of the user's environment. It targeted:

• User profiles – system user information
• Warehouse credentials – access details for data warehouses
• Cloud provider keys – tokens and keys for AWS, Azure, GCP, etc.
• API tokens – tokens for various services and integrations
• SSH keys – private keys used for secure remote access

This data, if exfiltrated, could allow attackers to access cloud infrastructure, databases, and other critical systems, leading to broader breaches.

Which platforms and versions were affected by the attack?

The malicious update was published under version 0.23.3 and made available on two major platforms: the developer's Python Package Index (PyPI) account and their Docker image repository. Users who installed this exact version via pip or who pulled and ran the corresponding Docker image were directly exposed. However, the developers confirmed that Elementary Cloud, the Elementary dbt package, and all other CLI versions (including earlier releases) were not affected. The malicious version remained online for approximately 12 hours before being removed on Saturday.

What should users who installed the malicious package do now?

Developers of element-data urged anyone who installed version 0.23.3 or used the affected Docker image to assume compromise. They recommended that users:

1. Immediately revoke and rotate all credentials and keys that were accessible in the environment where the package ran.
2. Audit systems for any signs of unauthorized access or data exfiltration.
3. Review cloud, API, and SSH key usage logs for suspicious activity.
4. Upgrade to a clean version of element-data (0.23.4 or later) once released.
5. Consider implementing additional security measures, such as multi‑factor authentication and credential scanning, to minimize future risk.

Given the sensitive nature of the stolen data, immediate action is critical.

How can open source users protect themselves from similar supply chain attacks?

This incident serves as a reminder that even popular packages with millions of downloads can be compromised. To reduce risk:

• Verify package integrity – use checksums, signatures, or package managers that validate authenticity.
• Limit automated updates – pin dependencies to known good versions and test updates in isolated environments.
• Monitor for unusual behavior – watch for unexpected data access or network connections from installed packages.
• Audit dependencies – regularly review your software supply chain for vulnerabilities and unfamiliar packages.
• Use least privilege – run packages with minimal required access to prevent credential theft.

Staying informed about security advisories and contributing to open source security initiatives also helps the community respond faster.