Steadvar — News without the noise

Privacy · Terms · About

© 2026 Steadvar. All rights reserved.

Open Source CLI Package Compromised, Malicious Version Removed

TechnologyCrime4/27/2026
Share

Similar Articles

Linux Kernel Vulnerability Patched, Public Exploit Code Released

Technology4/30/2026

Daemon Tools Software Compromised by Monthlong Supply-Chain Attack

TechnologyCrime5/5/2026

Linux Vulnerability Dirty Frag Exploit Leaked, Hackers Testing in Wild

TechnologyCrime2d ago

Security Firms Checkmarx and Bitwarden Affected by Supply Chain Attack

TechnologyBusiness4/29/2026

Ubuntu and Canonical Infrastructure Targeted by Sustained DDoS Attack

TechnologyWorld5/1/2026

A widely used open source software package, element-data, was compromised after attackers exploited a vulnerability in the developers' account workflow. The malicious version, which searched systems for sensitive data, was published to public repositories but was removed approximately 12 hours later. Elementary Cloud, the Elementary dbt package, and all other versions of the CLI were not affected.

Facts First

  • The element-data CLI package was compromised after attackers exploited a vulnerability in the developers' account workflow.
  • A malicious version (0.23.3) was published to the Python Package Index (PyPI) and Docker image accounts.
  • The compromised package searched systems for sensitive data, including credentials, API tokens, and SSH keys.
  • The malicious version was removed approximately 12 hours after its publication.
  • Elementary Cloud, the Elementary dbt package, and other CLI versions were not affected by the compromise.

What Happened

An open source software package with more than 1 million monthly downloads was compromised. A threat actor exploited a vulnerability in the developers’ account workflow to gain access to signing keys and other sensitive information. On Friday, unknown attackers used this access to push a new, malicious version of element-data, a command-line interface (CLI) used to monitor performance and anomalies in machine-learning systems. The malicious version, tagged as 0.23.3, was published to the developers’ Python Package Index (PyPI) and Docker image accounts. When executed, it searched systems for sensitive data, including user profiles, warehouse credentials, cloud provider keys, API tokens, and SSH keys. The malicious version was removed approximately 12 hours after its publication, on Saturday.

Why this Matters to You

If you use open source software for data or development work, your system's security may depend on the integrity of these packages. This incident shows that even popular tools can be compromised, potentially exposing your credentials and sensitive data. You may need to check if you installed the affected version (0.23.3) of element-data and review your systems for any signs of data exfiltration.

What's Next

The developers have removed the malicious package, which may prevent new infections. However, systems that installed version 0.23.3 during the 12-hour window it was available could still be compromised. Users and organizations are likely to be advised to audit their installations and rotate any credentials that may have been exposed. The broader open source community may scrutinize account security workflows to prevent similar exploits.

Perspectives

“
The Developers warn that users of version 0.23.3 or the affected Docker image "should assume that any credentials accessible to the environment where it ran may have been exposed."