PyPI package with 1.1M monthly downloads hacked to push infostealer
by Bill Toulas · BleepingComputerAn attacker pushed a malicious version of the popular elementary-data package Python Package Index (PyPI) to steal sensitive developer data and cryptocurrency wallets.
The dangerous release is 0.23.3, and it extended to the Docker image due to the package's workflow that creates the image from the code and uploads it to a container registry for deployment.
Community member crisperik spotted the malicious upload and opened an issue on the project’s GitHub on Saturday, alerting the maintainer and decreasing the exposure window.
A clean replacement, elementary-data 0.23.4, was pushed to users. However, users who downloaded the malicious variant remained compromised.
The elementary-data package is an open-source data observability tool for dbt, primarily used by data/analytics engineers working with data pipelines. It is a popular tool in the dbt (Data Build Tool) ecosystem, with more than 1.1 million monthly downloads on PyPI.
According to an analysis of the incident published by StepSecurity researchers, the attacker exploited a flaw in the project’s workflow, rather than compromising the maintainers’ accounts, as is more common with rogue updates.
The attacker posted a malicious comment on a pull request that exploited a GitHub Actions script injection flaw, causing the workflow to execute attacker-controlled shell code.
This exposed the workflow’s GITHUB_TOKEN, which was then used to forge a signed commit and tag (v0.23.3) and trigger the project’s legitimate release pipeline.
The pipeline built and published the backdoored package to PyPI as well as a malicious image to GitHub Container Registry, making it appear as an official release.
Source: StepSecurity
The malicious release contained the file elementary.pth, which executed automatically at startup to load a secrets stealer targeting the following type of data:
- SSH keys, Git credentials, cloud creds (AWS/GCP/Azure)
- Kubernetes, Docker, and CI secrets
- .env files and developer tokens
- Crypto wallet files (Bitcoin, Litecoin, Dogecoin, Zcash, Dash, Monero, Ripple)
- System data (/etc/passwd, logs, shell history)
The researchers say that the same payload reached the project's Docker image, because the "Release package workflow that uploads to PyPI also has a build-and-push-docker-image job."
According to StepSecurity, systems that did not use pinned versions pulled the backdoored build automatically.
Those who downloaded the malicious release, elementary-data==0.23.3, and the images with the tags ghcr.io/elementary-data/elementary:0.23.3 and :latest, should rotate all secrets and restore their environments from a known safe point.
99% of What Mythos Found Is Still Unpatched.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.