PyPI Package With 1.1M Downloads Hacked to Push Infostealer

Key Takeaways

• elementary-data 0.23.3 contained an infostealer targeting SSH keys, cloud credentials, and crypto wallets
• Attackers exploited a GitHub Actions script injection flaw rather than compromising maintainer accounts
• Anyone who downloaded version 0.23.3 or the associated Docker images should rotate all secrets immediately

A popular Python package used by data engineers was compromised over the weekend. An attacker pushed a malicious version of elementary-data to PyPI that harvested SSH keys, cloud credentials, cryptocurrency wallets, and other sensitive developer data.

The compromised release is version 0.23.3. The package has more than 1.1 million monthly downloads and is widely used in the dbt (Data Build Tool) ecosystem for data observability.

Community member crisperik spotted the malicious upload on Saturday and opened an issue on the project's GitHub. This quick detection limited the exposure window. A clean replacement, version 0.23.4, is now available. But anyone who downloaded 0.23.3 remains compromised.

How the Attack Worked

This was not a typical account compromise. According to StepSecurity researchers, the attacker exploited a flaw in the project's GitHub Actions workflow rather than stealing maintainer credentials.

The attacker posted a malicious comment on a pull request. That comment exploited a GitHub Actions script injection vulnerability, causing the workflow to execute attacker-controlled shell code.

This exposed the workflow's GITHUB_TOKEN. The attacker then used it to forge a signed commit and tag (v0.23.3) and trigger the project's legitimate release pipeline. The pipeline built and published the backdoored package to PyPI. It also pushed a malicious image to GitHub Container Registry.

Because the release looked official, systems that did not use pinned versions pulled the backdoored build automatically.

What the Malware Stole

The malicious release contained a file called elementary.pth. It executed automatically at startup and loaded a secrets stealer. The malware targeted a wide range of sensitive data.

• SSH keys and Git credentials
• Cloud credentials for AWS, GCP, and Azure
• Kubernetes, Docker, and CI secrets
• .env files and developer tokens
• Cryptocurrency wallet files for Bitcoin, Litecoin, Dogecoin, Zcash, Dash, Monero, and Ripple
• System data including /etc/passwd, logs, and shell history

The same payload reached the project's Docker image. The release workflow that uploads to PyPI also has a build-and-push-docker-image job. Both were compromised in a single attack.

Who Is Affected

Anyone who downloaded elementary-data==0.23.3 is affected. The malicious Docker images carry the tags ghcr.io/elementary-data/elementary:0.23.3 and :latest (at the time of compromise).

If you use pinned versions and did not update during the exposure window, you are likely safe. If you use floating version specifiers or pulled :latest, you should assume compromise.

What to Do Now

StepSecurity recommends the following steps for anyone who may have been exposed:

1. Check your installed version: pip show elementary-data
2. If you have 0.23.3, uninstall and reinstall 0.23.4 or later
3. Rotate all secrets: SSH keys, cloud credentials, API tokens, CI secrets
4. Check for unauthorized access in your cloud provider logs
5. Restore development environments from a known safe point
6. If you used the Docker image, pull the latest clean version and audit container registries

Why This Attack Pattern Matters

Most supply chain attacks in the Python ecosystem have relied on typosquatting or compromised maintainer accounts. This one is different. The attacker never needed credentials. They exploited a workflow design flaw that let them hijack the release process itself.

GitHub Actions workflows that evaluate untrusted input are a known risk. But many projects still have these vulnerabilities. The elementary-data incident is a reminder that CI/CD security is part of application security.

Frequently Asked Questions

How do I check if I installed the malicious elementary-data version?

Run 'pip show elementary-data' in your terminal. If the version is 0.23.3, you are affected. Uninstall immediately and rotate all secrets.

Was the elementary-data maintainer's account hacked?

No. The attacker exploited a GitHub Actions script injection flaw to trigger the release pipeline without compromising any account.

Are Docker images of elementary-data also affected?

Yes. The same release workflow pushed a malicious image to GitHub Container Registry with tags 0.23.3 and :latest.

How can I prevent this type of attack on my own projects?

Audit your GitHub Actions workflows for script injection vulnerabilities. Never evaluate untrusted input in workflow expressions. Use pinned versions in dependencies.

Is the clean version of elementary-data safe to use now?

Yes. Version 0.23.4 was pushed as a clean replacement. Verify your version before continuing use.

Source: BleepingComputer