{"id":326145,"date":"2026-04-29T05:52:50","date_gmt":"2026-04-29T00:22:50","guid":{"rendered":"https:\/\/ebiztoday.news\/?p=326145"},"modified":"2026-04-29T05:52:50","modified_gmt":"2026-04-29T00:22:50","slug":"open-source-package-with-1-million-monthly-downloads-stole-user-credentials","status":"publish","type":"post","link":"https:\/\/ebiztoday.news\/index.php\/2026\/04\/29\/open-source-package-with-1-million-monthly-downloads-stole-user-credentials\/","title":{"rendered":"Open source package with 1 million monthly downloads stole user credentials"},"content":{"rendered":"<div>\n<p>The developers are urging all developers who installed version 0.23.3 to take the next steps immediately:<\/p>\n<blockquote>\n<p>1. Check your installed version:<\/p>\n<p><code>pip show elementary-data | grep Version<\/code><\/p>\n<p>2. If the version is 0.23.3, uninstall it and replace it with the secure version:<\/p>\n<p><code>pip uninstall elementary-data<\/code><\/p>\n<p><code>pip install elementary-data==0.23.4<\/code><\/p>\n<p>In your requirements and lockfiles, pin explicitly to elementary-data==0.23.4.<\/p>\n<p>3. Delete your cache files to avoid any artifacts.<\/p>\n<p>4. Check for the malware\u2019s marker file on any machine where the CLI could have run: If this file is present, the payload executed on that machine.<\/p>\n<p><code>macOS \/ Linux: \/tmp\/.trinny-security-update<\/code><\/p>\n<p><code>Windows: %TEMP%.trinny-security-update<\/code><\/p>\n<p>5. Rotate any credentials that were accessible from the environment where 0.23.3 ran \u2013 dbt profiles, warehouse credentials, cloud provider keys, API tokens, SSH keys, and the contents of any .env files. CI\/CD runners are especially exposed because they typically have broad sets of secrets mounted at runtime.<\/p>\n<p>6. Contact your security team to hunt for unauthorized usage of exposed credentials. The relevant IOCs are <a href=\"https:\/\/www.elementary-data.com\/post\/security-incident-report-malicious-release-of-elementary-oss-python-cli-v0-23-3\">at the underside of this post<\/a>.<\/p>\n<\/blockquote>\n<p>Over the past decade, supply-chain attacks on open source repositories have turn out to be increasingly common. In some cases, they&#8217;ve achieved a series of compromises because the malicious package results in breaches of users and, from there, breaches resulting from the compromise of the users\u2019 environments.<\/p>\n<p>HD Moore, a hacker with greater than 4 many years of experience and the founder and CEO of runZero, said that user-developed repository workflows, akin to GitHub actions, are notorious for hosting vulnerabilities.<\/p>\n<p>It\u2019s \u201ca serious problem for open source projects with open repos,\u201d he said. \u201cIt\u2019s really hard to not unintentionally create dangerous workflows that may be exploited by an attacker\u2019s pull request.\u201d<\/p>\n<p>He said <a href=\"https:\/\/github.com\/zizmorcore\/zizmor\">this package<\/a> may be used to ascertain for such vulnerabilities.<\/p>\n<\/p><\/div>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The developers are urging all developers who installed version 0.23.3 to take the next steps immediately: 1. Check your installed version: pip show elementary-data | grep Version 2. If the version is 0.23.3, uninstall it and replace it with the secure version: pip uninstall elementary-data pip install elementary-data==0.23.4 In your requirements and lockfiles, pin explicitly [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":326146,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[10713,17290,692,464,1574,9129,4174,19347,4295],"class_list":["post-326145","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-credentials","tag-downloads","tag-million","tag-monthly","tag-open","tag-package","tag-source","tag-stole","tag-user"],"aioseo_notices":[{"message":"The permalink for this post just changed! This could result in 404 errors for your site visitors.","status":"warning","options":{"id":"0a2ae5f84bc2c0423042ed7ec22d2e40","isDismissible":true,"actions":[{"url":"https:\/\/ebiztoday.news\/wp-admin\/admin.php?page=aioseo-redirects","label":"Add Redirect to improve SEO","class":"aioseo-redirects-slug-changed"}]},"allowedContexts":["posts"]}],"_links":{"self":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts\/326145","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/comments?post=326145"}],"version-history":[{"count":2,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts\/326145\/revisions"}],"predecessor-version":[{"id":326148,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts\/326145\/revisions\/326148"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/media\/326146"}],"wp:attachment":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/media?parent=326145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/categories?post=326145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/tags?post=326145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}