Element-data, an open source package downloaded 1 million times monthly, was found stealing user credentials. Users of the library should immediately check for signs of compromise.
Security researchers discovered that element-data, a widely-used open source package, contained malicious code designed to harvest user credentials. The package, which maintains approximately 1 million monthly downloads, had been compromised without the knowledge of its users or maintainers.
■ The Breach
The malicious code embedded in element-data was designed to exfiltrate sensitive user authentication data. The exact scope of affected versions and the duration of the compromise remain under investigation.
■ What You Should Do
Users of element-data should take immediate action:
- Audit your systems: Check for unauthorized access or activity on accounts that may have used this package
- Rotate credentials: Change passwords and regenerate API keys for any services accessed by applications using element-data
- Update immediately: Remove the compromised package and update to a patched version when available
- Review logs: Examine application logs for suspicious activity dating back to when the package was first installed
■ Impact
The large download volume means the potential impact is significant. Any application or service that incorporated element-data could have been affected. Organizations using this package in production environments face particular risk.
■ Next Steps
Maintainers have been notified and are working to remediate the issue. Additional details about the compromise timeline and affected versions are expected as the investigation progresses. Users should monitor official package repositories and security advisories for updates.
This incident underscores the risks inherent in open source software supply chains, where popular packages can reach millions of users before security issues are detected.
The FBI has taken control of websites operated by Alarum Technologies Ltd., marking a significant enforcement action against the proxy network industry. The move signals increased federal scrutiny of services that mask user identities online.
xAI, owned by Elon Musk, is suing a South Carolina man who allegedly used the Grok AI chatbot to generate child sexual abuse material (CSAM). Terry Wayne Harwood faces eight felony charges after his arrest in February.
Meta has issued conflicting statements about NameTag, a face recognition system reported by WIRED. Company executives have offered unclear remarks on whether the technology actually exists.
Zoom has disclosed a critical vulnerability affecting its Windows desktop client and SDK that allows unauthenticated attackers to hijack user accounts. The company has released patches to address the security issue.