Malicious Update to Popular ML Tool Stole Credentials from 1M+ Monthly Users

A widely used open-source package for monitoring machine learning systems was hijacked last week after attackers exploited a flaw in the developers' GitHub workflow to steal signing keys and push a malicious update.

The package, element-data, is a command-line interface used by data teams to track performance and anomalies in ML models. It is downloaded over a million times each month. On Friday, unknown attackers published version 0.23.3 to the official Python Package Index and Docker Hub accounts. When executed, the compromised code scanned systems for user profiles, cloud provider keys, API tokens, SSH keys, and database credentials.

The malicious version was live for about 12 hours before being removed Saturday. The developers said the Elementary Cloud platform, the Elementary dbt package, and all other CLI versions were not affected.

The breach began when the attackers posted malicious code to a pull request, which triggered a bash script inside the developers' GitHub action workflow. That script exfiltrated account tokens and signing keys, allowing the attackers to publish a nearly identical-looking malicious package.

The team learned of the issue from a third-party report and removed the package within three hours. They have since rotated all exposed credentials, patched the vulnerability, and audited every GitHub action for similar weaknesses. Users who installed version 0.23.3 or ran the affected Docker image should assume any credentials in that environment may be compromised.

Source: Ars Technica