San Francisco — elementary-data 0.23.3 harvested warehouse credentials and Secure Shell keys. A GitHub Actions flaw gave attackers signing keys, letting them push a malicious build of the genuine pack
Ars Technica