Malicious PyPI Release Sparks Info Stealer Campaign Targeting Developers and CI/CD Secrets
1) Overview
- A widely used open‑source data observability tool, elementary-data, experienced a supply‑chain compromise when a malicious version (0.23.3) was pushed to PyPI.
- The incident extended to the associated Docker image because the project’s release workflow builds and uploads a container image alongside the Python package.
- A clean update (elementary-data 0.23.4) was released, but devices and environments that downloaded the infected 0.23.3 remained at risk.
2) How the Attack Unfolded — Step by Step
- A malicious release was prepared as part of the project’s release workflow.
- The attacker targeted a flaw in the GitHub Actions workflow by leaving a poisoned comment on a pull request.
- The injected comment triggered a script execution within the workflow, leading to exposure of the workflow’s GITHUB_TOKEN.
- With the token exposed, the attacker forged a signed commit and tag (v0.23.3), which then entered the legitimate release pipeline.
- The pipeline published the compromised package to PyPI (0.23.3) and, in parallel, deployed a malicious container image to GitHub Container Registry (GHCR) under legitimate branding.
- The PyPI release contained a payload intended to load automatically at startup, enabling a hidden information stealer to harvest secrets from affected systems.
3) Payload and Potential Data Targets
- The backdoored artifact included a file designed to execute on startup, loading a secrets stealer.
- Targeted data categories included:
- SSH keys and Git credentials
- Cloud provider credentials (AWS, GCP, Azure)
- Kubernetes, Docker, and CI/CD secrets
- Environment files (.env) and developer tokens
- Crypto wallets (Bitcoin, Ethereum variants, and other popular coins)
- System data such as /etc/passwd, logs, and shell history
4) Affected Artifacts and Reach
- PyPI package: elementary-data 0.23.3 (malicious) and 0.23.4 (clean replacement) released to users.
- Container image: a malicious image published to GHCR, using the same fraudulent release signals to appear legitimate.
- The scope was substantial due to the package’s popularity within the dbt ecosystem, where elementary-data boasted more than 1.1 million monthly downloads.
5) Analysis of How the Breach Was Carried Out
- The compromise did not rely on breaking into maintainers’ accounts; instead, it leveraged a flaw in the project’s workflow and a GitHub Actions script injection vulnerability.
- A poisoned pull request comment allowed attacker‑controlled shell code to execute within the release workflow.
- The exposed workflow token (GITHUB_TOKEN) enabled the attacker to forge a signed commit and tag, triggering the legitimate release machinery for both the PyPI package and the container image.
6) The Aftermath and Observations
- Once the malicious 0.23.3 release circulated, the maintainers issued a clean replacement (0.23.4) to halt further spread from the tainted version.
- Despite the replacement, systems that had already downloaded 0.23.3 remained compromised until credentials and secrets were rotated and environments were cleaned.
- Analyses highlighted that the attack exploited a chain of supply‑chain weaknesses across PyPI and the container registry, rather than a direct compromise of user accounts or credentials in the maintainer’s control.
7) Broader Context and Related Security Signals
- The incident sits within a growing pattern of supply‑chain attacks targeting open‑source tooling used in data engineering and analytics pipelines.
- Reports point to a broader theme where script injection flaws in CI/CD workflows can lead to tokens and credentials being forged into legitimate release pipelines.
- In related security threads, researchers discuss how automated workflows and unsigned or unpinned build steps can enable attackers to push backdoored artifacts into production ecosystems.
8) Visual and Reference Notes
- The incident was publicly documented with imagery illustrating the malicious PyPI release and the backdoored container image.
- Public write‑ups from security researchers describe the exact sequence: workflow exploitation, token exposure, forged release signals, and cross‑artifact contamination (PyPI and GHCR).
9) Related Coverage and Further Reading
- New angles on supply‑chain attacks affecting package ecosystems and container registries.
- Cases where trusted project workflows were abused to inject malicious code that manifests as legitimate updates.
- Ongoing discussions about the resilience of release pipelines and the risks of script injection in collaborative development environments.
10) Quick Reference: Indicators and What Organizations Noted
- Malicious PyPI entry: a compromised 0.23.3 package in the elementary-data project, followed by a clean 0.23.4 replacement.
- Malicious artifacts included a startup‑executed payload named elementary.pth capable of loading a secrets stealer.
- Cross‑artifact impact included a malicious container image published to a registry in tandem with the PyPI package.
- The accessibility of the GitHub Actions workflow and its tokens was a central axis of the compromise, emphasizing the complexity of modern release pipelines.
11) Closing Context
- This incident underscores the interconnected risk surface of modern open‑source supply chains, where a single flawed release workflow can cascade across multiple distribution channels.
- Community members and researchers highlighted the non‑account‑compromise vector, focusing on workflow vulnerabilities and automated pipeline abuse as the primary entry points for the attack.
Related articles and tags:
- Elementary-Data
- Info Stealer
- Information Stealer
- Packages
- PyPI
- Supply Chain
- Supply Chain Attack
Note: The above post reinterprets and reorganizes the information from a reported incident to present a cohesive, stand-alone narrative suitable for a blog format, with clear sections, bullet points, and numbered progressions.
