Open-source supply-chain attack steals credentials via poisoned package

April 27, 2026 at 09:43 PM

•

1 min read

Open-source supply-chain attack steals credentials via poisoned package — Photo: Ars Technica

TL;DR Summary

Attackers exploited a GitHub Actions workflow to gain access to signing keys and credentials, publishing a malicious element-data 0.23.3 package that scanned environments for sensitive data; the package was removed within ~12 hours, credentials rotated, and users are urged to upgrade to 0.23.4, purge caches, and rotate any exposed secrets.

Topics:technology #credentials #github-actions #malware #open-source #supply-chain-attack #technology

Share this article

Open source package with 1 million monthly downloads stole user credentials Ars Technica

Reading Insights

Total Reads

Unique Readers

Time Saved

4 min

vs 5 min read

Condensed

94%

882 → 50 words

Want the full story? Read the original article

Read on Ars Technica

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights