PyPI package with 1.1M monthly downloads hacked to push infostealer

Malicious PyPI Release Sparks Info Stealer Campaign Targeting Developers and CI/CD Secrets

1) Overview

• A widely used open‑source data observability tool, elementary-data, experienced a supply‑chain compromise when a malicious version (0.23.3) was pushed to PyPI.
• The incident extended to the associated Docker image because the project’s release workflow builds and uploads a container image alongside the Python package.
• A clean update (elementary-data 0.23.4) was released, but devices and environments that downloaded the infected 0.23.3 remained at risk.

2) How the Attack Unfolded — Step by Step

1. A malicious release was prepared as part of the project’s release workflow.
2. The attacker targeted a flaw in the GitHub Actions workflow by leaving a poisoned comment on a pull request.
3. The injected comment triggered a script execution within the workflow, leading to exposure of the workflow’s GITHUB_TOKEN.
4. With the token exposed, the attacker forged a signed commit and tag (v0.23.3), which then entered the legitimate release pipeline.
5. The pipeline published the compromised package to PyPI (0.23.3) and, in parallel, deployed a malicious container image to GitHub Container Registry (GHCR) under legitimate branding.
6. The PyPI release contained a payload intended to load automatically at startup, enabling a hidden information stealer to harvest secrets from affected systems.

3) Payload and Potential Data Targets

• The backdoored artifact included a file designed to execute on startup, loading a secrets stealer.
• Targeted data categories included:
• SSH keys and Git credentials
• Cloud provider credentials (AWS, GCP, Azure)
• Kubernetes, Docker, and CI/CD secrets
• Environment files (.env) and developer tokens
• Crypto wallets (Bitcoin, Ethereum variants, and other popular coins)
• System data such as /etc/passwd, logs, and shell history

4) Affected Artifacts and Reach

• PyPI package: elementary-data 0.23.3 (malicious) and 0.23.4 (clean replacement) released to users.
• Container image: a malicious image published to GHCR, using the same fraudulent release signals to appear legitimate.
• The scope was substantial due to the package’s popularity within the dbt ecosystem, where elementary-data boasted more than 1.1 million monthly downloads.

5) Analysis of How the Breach Was Carried Out

• The compromise did not rely on breaking into maintainers’ accounts; instead, it leveraged a flaw in the project’s workflow and a GitHub Actions script injection vulnerability.
• A poisoned pull request comment allowed attacker‑controlled shell code to execute within the release workflow.
• The exposed workflow token (GITHUB_TOKEN) enabled the attacker to forge a signed commit and tag, triggering the legitimate release machinery for both the PyPI package and the container image.

6) The Aftermath and Observations

• Once the malicious 0.23.3 release circulated, the maintainers issued a clean replacement (0.23.4) to halt further spread from the tainted version.
• Despite the replacement, systems that had already downloaded 0.23.3 remained compromised until credentials and secrets were rotated and environments were cleaned.
• Analyses highlighted that the attack exploited a chain of supply‑chain weaknesses across PyPI and the container registry, rather than a direct compromise of user accounts or credentials in the maintainer’s control.

7) Broader Context and Related Security Signals

• The incident sits within a growing pattern of supply‑chain attacks targeting open‑source tooling used in data engineering and analytics pipelines.
• Reports point to a broader theme where script injection flaws in CI/CD workflows can lead to tokens and credentials being forged into legitimate release pipelines.
• In related security threads, researchers discuss how automated workflows and unsigned or unpinned build steps can enable attackers to push backdoored artifacts into production ecosystems.

8) Visual and Reference Notes

• The incident was publicly documented with imagery illustrating the malicious PyPI release and the backdoored container image.
• Public write‑ups from security researchers describe the exact sequence: workflow exploitation, token exposure, forged release signals, and cross‑artifact contamination (PyPI and GHCR).

9) Related Coverage and Further Reading

• New angles on supply‑chain attacks affecting package ecosystems and container registries.
• Cases where trusted project workflows were abused to inject malicious code that manifests as legitimate updates.
• Ongoing discussions about the resilience of release pipelines and the risks of script injection in collaborative development environments.

10) Quick Reference: Indicators and What Organizations Noted

• Malicious PyPI entry: a compromised 0.23.3 package in the elementary-data project, followed by a clean 0.23.4 replacement.
• Malicious artifacts included a startup‑executed payload named elementary.pth capable of loading a secrets stealer.
• Cross‑artifact impact included a malicious container image published to a registry in tandem with the PyPI package.
• The accessibility of the GitHub Actions workflow and its tokens was a central axis of the compromise, emphasizing the complexity of modern release pipelines.

11) Closing Context

• This incident underscores the interconnected risk surface of modern open‑source supply chains, where a single flawed release workflow can cascade across multiple distribution channels.
• Community members and researchers highlighted the non‑account‑compromise vector, focusing on workflow vulnerabilities and automated pipeline abuse as the primary entry points for the attack.

Related articles and tags:

• Elementary-Data
• Info Stealer
• Information Stealer
• Packages
• PyPI
• Supply Chain
• Supply Chain Attack

Note: The above post reinterprets and reorganizes the information from a reported incident to present a cohesive, stand-alone narrative suitable for a blog format, with clear sections, bullet points, and numbered progressions.