The ubiquitous Python library elementary-data has emerged as a conduit for the exfiltration of sensitive developer telemetry. The compromised iteration infiltrated not only the PyPI repository but also the project’s official Docker images, causing a segment of the user base to inadvertently ingest the contaminated build through routine updates.
The hazardous release was designated as version 0.23.3. Primarily utilized by data engineers and analysts for the oversight of dbt pipelines, the package commands a formidable presence with over 1.1 million monthly downloads from PyPI. The anomaly was first identified by a community member operating under the pseudonym crisperik, who flagged the suspicious publication on GitHub. In response, the maintainers disseminated a sanitized version, 0.23.4; however, environments that had already integrated the tainted build remained perilously exposed.
According to a forensic exposition by StepSecurity, the incursion did not necessitate the compromise of maintainer credentials. Instead, the assault exploited a vulnerability within GitHub Actions, wherein a malicious comment on a pull request coerced the workflow into executing extraneous shell code. Through this maneuver, the adversary procured a GITHUB_TOKEN, fabricated signed commits and tags for v0.23.3, and subsequently triggered the legitimate release pipeline.
The automated release mechanism proceeded to compile and distribute the infected package to PyPI and the corresponding Docker image to the GitHub Container Registry. Consequently, the version possessed every hallmark of authenticity. Concealed within was a file named elementary.pth, which executed autonomously upon initialization to deploy a credential-harvesting “stealer.”
The malicious payload was engineered to scavenge for SSH keys, Git credentials, AWS, GCP, and Azure cloud secrets, Kubernetes and CI configurations, .env files, and developer tokens. Furthermore, it targeted a wide array of cryptocurrency wallets, including those for Bitcoin, Litecoin, Dogecoin, Zcash, Dash, Monero, and Ripple.
StepSecurity cautioned that systems lacking pinned version dependencies may have automatically assimilated the compromised build. Users of elementary-data 0.23.3, as well as those utilizing images tagged ghcr.io/elementary-data/elementary:0.23.3 or :latest, are urgently advised to rotate all credentials and restore their environments to a verified, pristine state.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
