The compromised package, version 0.23.3, was downloaded over 1 million times monthly and removed after 12 hours.
The malicious code harvested sensitive data such as user profiles, cloud keys, and API tokens from affected systems before developers intervened.
Developers have rotated credentials, fixed the GitHub vulnerability, and audited other actions, advising users of version 0.23.3 to assume credential exposure.
Was the bizarre exfiltration URL a clue to the identity of the `element-data` hackers?
Beyond cloud keys, what surprising data did the malicious package secretly steal?
Could keyless signing with Sigstore have prevented this million-download software attack?
How can one GitHub comment let hackers steal your company's cloud credentials?
As supply chain attacks surge, must we rethink our trust in open-source software?
With AI bots now hacking GitHub, is the open-source world losing the security war?