Open Source Software Compromised, User Credentials Stolen
An open-source software package with over 1 million monthly downloads was compromised after attackers exploited a vulnerability in the developers' account workflow. This breach allowed access to signing keys and sensitive information. The attackers published a malicious version of the element-data package, which scoured systems for sensitive data such as user profiles, warehouse credentials, cloud provider keys, API tokens, and SSH keys. The malicious version, tagged as 0.23.3, was removed within 12 hours of its release. Developers have since rotated all affected credentials and audited their GitHub actions to prevent future vulnerabilities. 
