Script Injection and Data Theft: Python Data Analysis Tool Compromised
The popular Python package for monitoring data quality was briefly available as a malicious version. Provider Elementary advises an immediate update.
(Image: janews / Shutterstock.com)
- Manuel Masiero
An attacker uploaded a manipulated version 0.23.3 of the Python data monitoring tool, elementary-data, to PyPI. The fake release steals credentials such as SSH keys, AWS credentials, API tokens, and wallet files for various cryptocurrencies. The provider Elementary has since removed the compromised package, but it was able to cause damage for nearly half a day.
The attacker, hiding behind the few-day-old GitHub account realtungtungtungsahur, uploaded the malicious version 0.23.3 of elementary data to PyPI on April 25th at 0:20 AM CEST, followed by a compromised Docker image that found its way into the GitHub Container Registry at 0:24 AM.
A little over 11 hours later, on April 25th at 11:45 AM, the elementary team removed the malicious files and replaced them with the cleaned version 0.23.4. According to the team, Elementary Cloud, the Elementary dbt package, and other versions of the CLI tool were not affected by this incident. The provider has since also published a full security report detailing the timeline, root cause analysis, and all countermeasures.
Last month alone, elementary-data recorded more than one million downloads, according to pypistats.org, making the open-source CLI one of the most widely used monitoring and diagnostic tools for dbt-based data platforms. In the event of a successful attack, the chances of gaining access to corresponding secrets are therefore also high.
Attack via GitHub Actions
The attacker exploited a script injection vulnerability in one of elementary-data's GitHub Actions workflows to execute their code within the pipeline. Using the automatically provided GITHUB_TOKEN, they then triggered the release workflow release.yml via workflow_dispatch. They had introduced a pull request with malicious code for this purpose but did not need to merge it or directly modify the master branch.
The malicious code is located in the elementary.pth file, found in the package's site-packages directory, and targets a wide range of sensitive data: SSH keys, AWS cloud credentials, and secrets for Docker and Kubernetes. Wallet files for cryptocurrencies such as Bitcoin, Litecoin, Dogecoin, and Ethereum are also among the targets. The stolen data was compiled into the file trin.tar.gz and exfiltrated to the address igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud. The incident is also cataloged under MAL-2026-3083 in the Open-Source Vulnerability register OSV.
Videos by heise
Countermeasures
Users who have installed the affected version 0.23.3 should act immediately. The elementary team recommends, as a general rule, performing a version check with
pip show elementary-data | grep Version
Then, uninstall version 0.23.3 with
pip uninstall elementary-data
and replace it with the secure version:
pip install elementary-data==0.23.4
Furthermore, users should fix the version in the requirements files and lock files to elementary-data==0.23.4 and, as a final step, renew all access credentials used with elementary-data.
In addition, the team recommends deleting cache files and searching for the malware's marker file on all potentially affected systems: on macOS and Linux, it is located under /tmp/.trinny-security-update, and on Windows under %TEMP%\.trinny-security-update. If the file is present, the malware was active on the respective system.
In parallel, the Elementary team has rotated the PyPI publish token, the GitHub token, and the Docker registry credentials, removed the vulnerable GitHub Actions workflow, and checked all remaining workflows.
Security issues in the open-source ecosystem and supply chain remain ubiquitous. AI agents can help to get this problem under control.
(mro)
