A popular open source package with over 1 million monthly downloads was found stealing developer credentials. The malicious code was embedded in elementary-data version 0.23.3, which harvested sensitive authentication tokens including cloud provider keys, API tokens, and SSH keys from developer environments.

Developers who installed the compromised version must immediately uninstall it and upgrade to version 0.23.4. They should also check for the malware's marker file at /tmp/.trinny-security-update on Mac/Linux or %TEMP%\.trinny-security-update on Windows. Anyone who ran the infected package needs to rotate all potentially exposed credentials—dbt profiles, warehouse credentials, and contents of .env files. CI/CD runners are especially vulnerable since they typically have broad sets of secrets mounted at runtime.

Supply-chain attacks on open source repositories have become increasingly common over the past decade. HD Moore, founder and CEO of security firm runZero, noted that user-developed repository workflows like GitHub Actions are notorious for hosting vulnerabilities. He warned it's difficult for open source projects to avoid accidentally creating dangerous workflows that can be exploited through malicious pull requests.