PyPI Package With 1.1M Downloads Hacked to Push Infostealer
Key Takeaways
- elementary-data 0.23.3 contained an infostealer targeting SSH keys, cloud credentials, and crypto wallets
- Attackers exploited a GitHub Actions script injection flaw rather than compromising maintainer accounts
- Anyone who downloaded version 0.23.3 or the associated Docker images should rotate all secrets immediately
A popular Python package used by data engineers was compromised over the weekend. An attacker pushed a malicious version of elementary-data to PyPI that harvested SSH keys, cloud credentials, cryptocurrency wallets, and other sensitive developer data.
The compromised release is version 0.23.3. The package has more than 1.1 million monthly downloads and is widely used in the dbt (Data Build Tool) ecosystem for data observability.
Community member crisperik spotted the malicious upload on Saturday and opened an issue on the project's GitHub. This quick detection limited the exposure window. A clean replacement, version 0.23.4, is now available. But anyone who downloaded 0.23.3 remains compromised.
How the Attack Worked
This was not a typical account compromise. According to StepSecurity researchers, the attacker exploited a flaw in the project's GitHub Actions workflow rather than stealing maintainer credentials.
The attacker posted a malicious comment on a pull request. That comment exploited a GitHub Actions script injection vulnerability, causing the workflow to execute attacker-controlled shell code.
This exposed the workflow's GITHUB_TOKEN. The attacker then used it to forge a signed commit and tag (v0.23.3) and trigger the project's legitimate release pipeline. The pipeline built and published the backdoored package to PyPI. It also pushed a malicious image to GitHub Container Registry.
Because the release looked official, systems that did not use pinned versions pulled the backdoored build automatically.
What the Malware Stole
The malicious release contained a file called elementary.pth. It executed automatically at startup and loaded a secrets stealer. The malware targeted a wide range of sensitive data.
- SSH keys and Git credentials
- Cloud credentials for AWS, GCP, and Azure
- Kubernetes, Docker, and CI secrets
- .env files and developer tokens
- Cryptocurrency wallet files for Bitcoin, Litecoin, Dogecoin, Zcash, Dash, Monero, and Ripple
- System data including /etc/passwd, logs, and shell history
The same payload reached the project's Docker image. The release workflow that uploads to PyPI also has a build-and-push-docker-image job. Both were compromised in a single attack.
Who Is Affected
Anyone who downloaded elementary-data==0.23.3 is affected. The malicious Docker images carry the tags ghcr.io/elementary-data/elementary:0.23.3 and :latest (at the time of compromise).
If you use pinned versions and did not update during the exposure window, you are likely safe. If you use floating version specifiers or pulled :latest, you should assume compromise.
What to Do Now
StepSecurity recommends the following steps for anyone who may have been exposed:
- Check your installed version: pip show elementary-data
- If you have 0.23.3, uninstall and reinstall 0.23.4 or later
- Rotate all secrets: SSH keys, cloud credentials, API tokens, CI secrets
- Check for unauthorized access in your cloud provider logs
- Restore development environments from a known safe point
- If you used the Docker image, pull the latest clean version and audit container registries
Logicity's Take
Why This Attack Pattern Matters
Most supply chain attacks in the Python ecosystem have relied on typosquatting or compromised maintainer accounts. This one is different. The attacker never needed credentials. They exploited a workflow design flaw that let them hijack the release process itself.
GitHub Actions workflows that evaluate untrusted input are a known risk. But many projects still have these vulnerabilities. The elementary-data incident is a reminder that CI/CD security is part of application security.
Another recent breach involving stolen personal data
Supply chain and credential theft remain top attack vectors
Frequently Asked Questions
How do I check if I installed the malicious elementary-data version?
Run 'pip show elementary-data' in your terminal. If the version is 0.23.3, you are affected. Uninstall immediately and rotate all secrets.
Was the elementary-data maintainer's account hacked?
No. The attacker exploited a GitHub Actions script injection flaw to trigger the release pipeline without compromising any account.
Are Docker images of elementary-data also affected?
Yes. The same release workflow pushed a malicious image to GitHub Container Registry with tags 0.23.3 and :latest.
How can I prevent this type of attack on my own projects?
Audit your GitHub Actions workflows for script injection vulnerabilities. Never evaluate untrusted input in workflow expressions. Use pinned versions in dependencies.
Is the clean version of elementary-data safe to use now?
Yes. Version 0.23.4 was pushed as a clean replacement. Verify your version before continuing use.
Need Help Implementing This?
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
Accenture Deploys Copilot to 743,000 Staff in Record AI Deal
Microsoft's largest enterprise Copilot deal puts the AI assistant on every Accenture employee's desktop. The consulting giant reports staff completing routine tasks up to 15 times faster, though industry-wide AI productivity gains remain disputed.
Nintendo Switch 2 LCD Screen Disappoints: A Portable OLED Fix
The Nintendo Switch 2 shipped with a 1080p LCD panel that looks worse than its predecessor's 720p OLED. Critics cite slow response times and weak contrast. Here's why enthusiasts are pairing the console with portable OLED monitors instead.
OpenAI Open-Sources Symphony: Agent Orchestration Spec
OpenAI has released Symphony, an open-source specification that turns project management tools like Linear into control planes for coding agents. The system reportedly increased landed pull requests by 500% on some teams by eliminating the context-switching bottleneck that limited engineers to managing three to five agent sessions at once.