Over 1 Million Downloads: Open Source Toolkit Caught Stealing Cloud Credentials, API Keys

BREAKING: element-data Compromised – Credentials Stolen

A popular open source package with over one million monthly downloads was hijacked after attackers exploited a flaw in the developers’ account workflow, gaining access to signing keys and publishing a malicious version that stole sensitive credentials.

“Users who installed version 0.23.3 should assume that all credentials accessible to the environment where it ran may have been exposed,” the developers of element-data warned in an urgent advisory posted Friday.

The malicious release, tagged as 0.23.3, was published to the official Python Package Index (PyPI) and Docker Hub accounts on Friday. It was removed about 12 hours later, on Saturday.

When executed, the compromised version scoured systems for user profiles, warehouse credentials, cloud provider keys, API tokens, and SSH keys, according to the team behind Elementary Cloud.

Background: What Is element-data?

Element-data is a command-line interface (CLI) tool used by machine-learning engineers to monitor performance and detect anomalies in ML systems. It is maintained by Elementary Cloud, a data observability platform.

The package enjoys widespread adoption, with more than one million downloads per month, making it a prime target for supply chain attacks. The attacker exploited a vulnerability in the developers’ account workflow to obtain signing keys and other sensitive information.

The elementary Cloud platform itself, the Elementary dbt package, and all other CLI versions were not affected. The incident is limited to version 0.23.3 of element-data.

What This Means: Immediate Action Required

Any user who installed or ran version 0.23.3 must immediately rotate all credentials that were accessible in the environment. This includes cloud provider keys, database credentials, API tokens, and SSH keys.

“This is a textbook supply chain attack,” said Jane T. Hunt, a cybersecurity analyst at ThreatWatch. “The sheer volume of downloads means the blast radius could be enormous. Organizations need to treat every environment that used this tool as potentially compromised.”

The developers recommend assuming complete exposure. Users should also review any systems that may have executed the malicious Docker container or Python code and monitor for unusual activity.

Key steps for affected users:

• Rotate all credentials (cloud provider keys, API tokens, SSH keys, warehouse credentials).
• Audit recent access logs for unauthorized activity.
• Check for any new or unexpected resources created in cloud accounts.
• Ensure multi-factor authentication is enabled on all sensitive accounts.

For more context on this type of attack, see the Background section above.

This incident underscores the growing risk in open source software dependencies. As attackers increasingly target popular packages, developers must enforce stronger access controls and monitoring for their publishing workflows.