Open source package with 1 million monthly downloads stole user credentials
Summary
Ars Technica reports that a popular open-source CLI package element-data was compromised when attackers exploited a flaw in the maintainers' GitHub Actions workflow, enabling theft of signing keys and credentials. The malicious 0.23.3 release was published to PyPI and Docker, exposed env secrets, and was rapidly removed; developers advise immediate credential rotation and upgrading to 0.23.4, plus CI/CD hygiene to prevent similar attacks.