Ethical Hacking News
A devastating supply chain attack has been discovered on a popular Python Package Index (PyPI) package, elementary-data, which has over 1.1 million monthly downloads. The attacker exploited a flaw in the project's workflow to push an infostealer that targeted sensitive data and crypto wallets.
A popular Python Package Index (PyPI) package, elementary-data, was compromised by an attacker who exploited a flaw in the project's workflow. The malicious release infected over 1.1 million monthly downloads and contained a secrets stealer targeting sensitive data such as SSH keys and cloud credentials. The attack highlights the importance of regular security audits and updates in open-source projects. Users are advised to be cautious when installing packages from PyPI, especially those with a high number of monthly downloads. The incident serves as a reminder for developers to follow best practices for securing their projects, including regular security audits, updates, and testing.
The world of cybersecurity is constantly evolving, and a recent incident highlights the importance of vigilance in the software development community. A popular Python Package Index (PyPI) package, elementary-data, has been compromised by an attacker who exploited a flaw in the project's workflow. The malicious release, 0.23.3, was pushed to PyPI, making it appear as an official update, and subsequently infected over 1.1 million monthly downloads.
According to an analysis published by StepSecurity researchers, the attacker took advantage of a GitHub Actions script injection flaw to execute attacker-controlled shell code. This exposed the workflow's GITHUB_TOKEN, which was then used to forge a signed commit and tag (v0.23.3) and trigger the project's legitimate release pipeline. The pipeline built and published the backdoored package to PyPI as well as a malicious image to GitHub Container Registry, making it appear as an official release.
The malicious release contained the file elementary.pth, which executed automatically at startup to load a secrets stealer targeting sensitive data such as SSH keys, Git credentials, cloud creds (AWS/GCP/Azure), Kubernetes, Docker, and CI secrets, .env files, and developer tokens. The attacker also targeted crypto wallet files (Bitcoin, Litecoin, Dogecoin, Zcash, Dash, Monero, Ripple) as well as system data (/etc/passwd, logs, shell history).
The attack highlights the importance of regular security audits and updates in open-source projects. It also underscores the need for users to be cautious when installing packages from PyPI, especially those with a high number of monthly downloads.
In response to the incident, the maintainer of the elementary-data package pushed a clean replacement, version 0.23.4, to users. However, it is still unclear how many users have been affected by the malicious release.
StepSecurity researchers noted that the attacker exploited a flaw in the project's workflow rather than compromising the maintainers' accounts, which is more common with rogue updates. The researcher stated that "99% of what Mythos Found Is Still Unpatched" and "A wave of new exploits is coming." This highlights the ongoing threat landscape in software development and the importance of staying vigilant.
The incident also serves as a reminder for developers to follow best practices for securing their projects, including regular security audits, updates, and testing. It is essential to keep dependencies up-to-date and monitor for suspicious activity on the part of users or third-party services.
In conclusion, the attack on the elementary-data package highlights the need for vigilance in software development and the importance of staying up-to-date with the latest security best practices. As new exploits continue to emerge, it is crucial that developers prioritize their projects' security and stay informed about potential threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-devastating-supply-chain-attack-PyPI-package-with-11M-monthly-downloads-hacked-to-push-infostealer-ehn.shtml
https://www.bleepingcomputer.com/news/security/pypi-package-with-11m-monthly-downloads-hacked-to-push-infostealer/
Published: Mon Apr 27 11:53:18 2026 by llama3.2 3B Q4_K_M
