Full Report
An attacker pushed a malicious version of the popular elementary-data package Python Package Index (PyPI) to steal sensitive developer data and cryptocurrency wallets. [...]
Analysis Summary
# Incident Report: Supply Chain Compromise of 'elementary-data' PyPI Package
## Executive Summary
The popular open-source data observability tool `elementary-data` (1.1M monthly downloads) was subjected to a supply chain attack involving a malicious release (v0.23.3). The attacker exploited a GitHub Actions script injection vulnerability to forge a signed release, pushing an infostealer designed to exfiltrate developer credentials and cryptocurrency wallets. The incident was mitigated by the release of version 0.23.4, but users who installed the affected version remain compromised.
## Incident Details
- **Discovery Date:** April 25, 2026 (Saturday)
- **Incident Date:** April 25, 2026
- **Affected Organization:** Elementary Data (Open-source project)
- **Sector:** Software Development / Data Engineering
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 25, 2026
- **Vector:** GitHub Actions Script Injection
- **Details:** The attacker posted a malicious comment on a Pull Request. This comment exploited a flaw in the project’s CI/CD workflow, allowing the execution of attacker-controlled shell code.
### Lateral Movement
- **Privilege Escalation:** By exploiting the script injection, the attacker captured the `GITHUB_TOKEN`.
- **Pipeline Manipulation:** The attacker used the token to forge a signed commit and tag (v0.23.3), triggering the legitimate automated release pipeline.
### Data Exfiltration/Impact
- **Malicious Payload:** The forged release included a file named `elementary.pth`.
- **Action:** This file executed automatically upon package startup, deploying a secrets stealer.
- **Targets:** The malware targeted SSH keys, Cloud provider credentials (AWS/GCP/Azure), Kubernetes/Docker secrets, `.env` files, and various cryptocurrency wallets (BTC, LTC, DOGE, etc.).
### Detection & Response
- **Detection:** Community member `crisperik` identified the malicious upload and opened a GitHub issue.
- **Immediate Response:** Maintainers removed the malicious version and pushed a clean replacement (v0.23.4).
- **Secondary Impact:** The malicious code was also automatically deployed to the project's Docker images on GitHub Container Registry (GHCR) due to integrated workflows.
## Attack Methodology
- **Initial Access:** GitHub Actions Script Injection via PR comment.
- **Persistence:** Use of a `.pth` file in the Python environment, ensuring execution whenever the package is loaded.
- **Privilege Escalation:** Exploitation of GITHUB_TOKEN permissions within the runner environment.
- **Defense Evasion:** Use of the project’s official, legitimate CI/CD pipeline to sign and publish the malicious code, making it appear authentic.
- **Credential Access:** Automated scanning for `.git`, `.ssh`, and `.env` directories.
- **Collection:** Gathering cloud, system (`/etc/passwd`), and CI secrets.
- **Exfiltration:** Targeted theft of cryptocurrency wallet files and developer tokens.
- **Impact:** Compromise of developer environments and potential downstream access to production data pipelines.
## Impact Assessment
- **Financial:** Risk of direct theft from cryptocurrency wallets; costs associated with rotating enterprise cloud credentials.
- **Data Breach:** High-sensitivity developer data, including cloud access keys and system logs.
- **Operational:** Disruption to data pipelines; requirement for users to rebuild environments.
- **Reputational:** Potential loss of trust in a tool with 1.1 million monthly downloads.
## Indicators of Compromise
- **File indicators:**
- `elementary.pth` (inserted into the site-packages directory)
- **Version indicators:**
- PyPI package: `elementary-data==0.23.3`
- Docker tags: `ghcr[.]io/elementary-data/elementary:0.23.3` and `:latest` (during the window of infection)
## Response Actions
- **Containment:** Malicious version 0.23.3 was pulled from PyPI.
- **Eradication:** Release of clean version 0.23.4.
- **Recovery:** Public advisory issued for users to rotate all secrets stored on machines where the malicious package was installed.
## Lessons Learned
- **CI/CD Security:** Automated workflows triggered by external inputs (like PR comments) are high-risk vectors.
- **Token Permissions:** The `GITHUB_TOKEN` should have the minimum permissions necessary; in this case, it allowed for forge-signing of releases.
- **Version Pinning:** Users who did not pin their versions were automatically upgraded to the malicious build.
## Recommendations
- **For Maintainers:** Sanitize all inputs in GitHub Actions workflows and transition to "OpenID Connect" (OIDC) for more secure publishing to PyPI (Trusted Publishers).
- **For Users:**
- Implement strict version pinning in `requirements.txt` or `Poetry`.
- Use tools to scan for malicious high-risk files (like unexpected `.pth` files) in Python environments.
- Immediately rotate all AWS, Azure, GCP, and Git credentials if version 0.23.3 was utilized.