# Opensource package with 1 million monthly downloads stole user credentials … # compromised after a threat actor # exploited a # vulnerability in the developer
An open-source package named elementData, which has one million monthly downloads, was compromised. Threat actors exploited a vulnerability in the developer's account workflow to gain access to signing keys and sensitive information. This allowed them to push a malicious version of the package, which was used to steal user credentials. AI
IMPACT Compromise of ML tooling could impact data integrity and system security for operators.