Developers are urgently advised to update the open-source package 'elementary-data' from version 0.23.3 to 0.23.4. The compromised version, downloaded over a million times monthly, was found to steal user credentials.
Users must uninstall version 0.23.3 and install the safe version 0.23.4, explicitly pinning it in their project files. Deleting cache files and checking for a malware marker file (/tmp/.trinny-security-update or %TEMP%\.trinny-security-update) are also recommended.
Crucially, all credentials accessible from the environment where 0.23.3 ran, including cloud keys, API tokens, and SSH keys, must be rotated immediately. CI/CD runners are particularly vulnerable.
Security experts note that supply-chain attacks on open-source repositories are a growing problem. Workflows like GitHub actions can inadvertently host vulnerabilities, making open-source projects susceptible to exploitation.