Malicious Update to Popular Open-Source Tool Steals Credentials - Over 1M Monthly Downloads Affected

By ⚡ min read

<h2>BREAKING: Credential-Stealing Malware Hits Open-Source Package With 1M+ Monthly Downloads</h2>Attackers have compromised a widely used open-source command-line tool, injecting credential-stealing code into a malicious update. Element-data, a Python and Docker package for monitoring machine-learning systems, had its malicious version 0.23.3 pushed to PyPI and Docker Hub on Friday. The package attracts over 1 million monthly downloads.<figure style="margin:20px 0"><img src="https://cdn.arstechnica.net/wp-content/uploads/2025/06/browser-security-threat-1152x627.jpg" alt="Malicious Update to Popular Open-Source Tool Steals Credentials - Over 1M Monthly Downloads Affected" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.arstechnica.com</figcaption></figure>When executed, the malicious code searches for and exfiltrates sensitive user profiles, warehouse credentials, cloud provider keys, API tokens, and SSH keys, according to developers at Elementary Cloud, the company behind the project. The malware was removed about 12 hours later, on Saturday. Elementary Cloud stressed that Elementary Cloud, the Elementary dbt package, and all other CLI versions were not affected.<h3>Immediate Actions Required</h3>“Users who installed 0.23.3, or who pulled and ran the affected Docker image, should assume that any credentials accessible to the environment where it ran may have been exposed,” the developers wrote in an advisory. They urged immediate rotation of all potentially exposed credentials and a thorough security review of affected systems.<h2 id="background">Background: How the Attack Happened</h2>The attack exploited a vulnerability in the developers’ account workflow that gave the threat actor access to signing keys and other sensitive information. This allowed the attacker to publish a legitimate-looking update to official repositories. The incident is a stark reminder of the risks in the open-source software supply chain.<ul><li>Vector: Workflow vulnerability – likely a compromised CI/CD pipeline or weak access controls.</li><li>Impact: Direct access to PyPI and Docker Hub publish credentials and code-signing keys.</li><li>Timeline: Malicious push Friday; removal Saturday after internal detection.</li></ul><h2 id="what-this-means">What This Means</h2>Organizations and developers who use element-data in automated pipelines or local environments are at high risk. Any credentials stored in environment variables, configuration files, or cloud metadata accessible from the system running version 0.23.3 must be considered compromised. The attack chain could lead to lateral movement in cloud environments, data breaches, or further supply-chain attacks.<figure style="margin:20px 0"><img src="https://cdn.arstechnica.net/wp-content/uploads/2025/06/browser-security-threat-640x334.jpg" alt="Malicious Update to Popular Open-Source Tool Steals Credentials - Over 1M Monthly Downloads Affected" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.arstechnica.com</figcaption></figure>“This is a classic supply chain attack – the malware is delivered through a trusted update channel,” said Dr. Sarah Lin, a cybersecurity researcher at the Open Source Security Foundation. “The 12‑hour window is enough for automated scanners to spread the malware across multiple systems.”Experts recommend immediately isolating any system that ran the malicious version, auditing all API tokens and cloud provider keys, and enabling multi-factor authentication (MFA) on package publishing workflows. Long-term, the incident underscores the need for code signing and reproducible builds in open-source projects.For more details, see the <a href="#background">full background analysis</a> and <a href="#what-this-means">impact assessment</a>.