A significant security breach has targeted the widely-used Python package, elementary-data, potentially compromising the credentials of numerous developers. This incident highlights the vulnerability of software supply chains to cyber threats.
Infiltration of PyPI and GitHub
Cybercriminals managed to introduce a harmful version, 0.23.3, of the popular package onto the Python Package Index (PyPI). Simultaneously, they infiltrated the associated Docker images on the GitHub Container Registry (GHCR), further extending the reach of the attack. Given its over one million monthly downloads, the elementary-data tool became an attractive target for hackers.
Unlike other attacks, this breach did not involve stolen developer passwords. According to researchers from StepSecurity, the vulnerability was exploited via a script-injection flaw in the GitHub Actions pipeline associated with the project.
Mechanism of the Attack
The attackers used a newly-created GitHub account to leave a malicious script in an open pull request comment. Due to inadequate handling by the automated workflow, the system executed the script, allowing the attackers to create a verified release commit using an access token provided by the workflow itself. This allowed them to trigger the official release process without altering the main codebase.
Upon installation, the compromised package introduced a file named elementary.pth into the environment. This file, automatically executed whenever Python starts, deployed a three-stage information-stealing payload targeting sensitive data such as cloud access tokens, SSH keys, and cryptocurrency wallets.
Response and Mitigation
StepSecurity advises checking installed versions to determine if systems are affected. The compromised version is 0.23.3, while versions 0.23.4 and 0.23.2 remain secure. Similarly, users of the Docker image ghcr.io/elementary-data/elementary:0.23.3 should upgrade to a secure version.
Thanks to the swift actions of community members, the malicious version was promptly removed, and a clean update was provided. Developers are urged to rotate all credentials and enable two-factor authentication to safeguard their systems.
For ongoing cybersecurity insights, follow us on Google News, LinkedIn, and X. If you have stories to share, contact us to feature them.
