1.1 million monthly downloads — the reach of the elementary-data package on PyPI — made a routine open-source component a highly effective vector for a secrets-stealing campaign when an attacker slipped a backdoor into a release.
elementary-data: reach and role in dbt pipelines
elementary-data is an open-source data observability tool for dbt, used primarily by data and analytics engineers working with data pipelines. The package is widely distributed on the Python Package Index (PyPI), with more than 1.1 million monthly downloads, which amplified the impact of the incident when a malicious release was published.
How the attacker forged an official release via GitHub Actions
According to an analysis published by StepSecurity researchers, the attacker did not directly compromise the maintainers’ accounts. Instead, they exploited a flaw in the project’s workflow: a malicious comment posted on a pull request triggered a GitHub Actions script injection vulnerability. That injection allowed attacker-controlled shell code to execute inside the workflow, exposing the workflow’s GITHUB_TOKEN.
StepSecurity reports the exposed GITHUB_TOKEN was used to forge a signed commit and create a tag (v0.23.3). The forged tag then triggered the project’s legitimate release pipeline, which proceeded to build and publish what appeared to be an official release.
The backdoor: elementary.pth and the secrets stealer
The malicious release, published as elementary-data version 0.23.3, included a file named elementary.pth that executed automatically at Python startup. That file loaded a secrets-stealing payload designed to harvest a comprehensive set of sensitive information.
StepSecurity’s breakdown lists the following targets of the payload:
- SSH keys, Git credentials, cloud credentials (AWS/GCP/Azure)
- Kubernetes, Docker, and CI secrets
- .env files and developer tokens
- Cryptocurrency wallet files (Bitcoin, Litecoin, Dogecoin, Zcash, Dash, Monero, Ripple)
- System data such as /etc/passwd, logs, and shell history
Container image contamination: GitHub Container Registry
The compromise extended beyond PyPI. The project's release package workflow also included a job to build and push a Docker image. StepSecurity says the same payload reached the project's Docker image because the release workflow uploaded both to PyPI and to the GitHub Container Registry. The attackers published the malicious package to PyPI and a matching malicious image under the tags ghcr.io/elementary-data/elementary:0.23.3 and :latest, making the artifacts appear to be official outputs of the release process.
How discovery, fixes, and automatic updates unfolded
Community member crisperik spotted the malicious upload and opened an issue on the project's GitHub on Saturday, alerting the maintainer and shrinking the exposure window. The maintainer pushed a clean replacement as elementary-data 0.23.4. Nonetheless, systems that did not use pinned versions or those that pulled the compromised container tags remained at risk: StepSecurity notes that systems without pinned versions pulled the backdoored build automatically, and users who downloaded elementary-data==0.23.3 or the contaminated images remained compromised until they took corrective action.
What this means for data/analytics engineers and open-source maintainers
Data/analytics engineers who rely on elementary-data should assume that any environment that installed elementary-data==0.23.3 or pulled images tagged ghcr.io/elementary-data/elementary:0.23.3 or :latest may have been exposed and must take remediation steps. The researchers advise rotating all secrets and restoring environments from a known safe point.
For maintainers, the incident underscores a specific attack path: a workflow script injection on GitHub Actions that can expose repository tokens and allow attackers to forge signed commits and trigger legitimate pipelines. StepSecurity emphasizes that this incident exploited a workflow flaw rather than an account compromise, illustrating how automation and CI/CD configurations can be an attack surface in their own right.
In short, a widely used dbt-adjacent package became a distribution channel for a broad secrets exfiltration tool because an attacker manipulated an automated release pipeline. A clean release (0.23.4) is available, but the practical impact depends on whether organizations pinned versions, monitored for unexpected tags, and followed post-compromise steps recommended by the researchers: rotate credentials and restore from trusted snapshots.
Original story: https://www.bleepingcomputer.com/news/security/pypi-package-with-11m-monthly-downloads-hacked-to-push-infostealer/
