In a sophisticated display of software supply chain interference, the widely used data observability tool elementary-data was compromised on April 24, 2026. Attackers successfully injected malicious code into version 0.23.3, pushing it to the Python Package Index (PyPI) and the GitHub Container Registry (GHCR).+1
With over one million monthly downloads, this package is a staple for developers using dbt for data observability. What makes this attack particularly dangerous is that the hackers did not steal developer credentials. Instead, they exploited a flaw in the project’s automated build system to “trick” GitHub into verifying and publishing the malware itself.+1
The Exploit: Bypassing Security via Script Injection
According to a detailed report from StepSecurity, the breach originated from a script-injection vulnerability within the project’s GitHub Actions pipeline.
How the Attack Unfolded:
- The Trigger: A newly created, anonymous GitHub account posted a malicious script inside a comment on an open Pull Request.
- The Flaw: The project’s automated workflow was configured to process comment bodies. Because the
${{ github.event.comment.body }}expression was not sanitized, it executed the attacker’s code directly in the CI/CD environment. - The Forgery: Using the workflow’s own GITHUB_TOKEN, the attacker commanded the system to forge a release commit. This created a “Verified” PGP-signed release (v0.23.3) that looked 100% legitimate to end-users.
- The Payload: The compromised version included a hidden file named
elementary.pth. In Python,.pthfiles are automatically executed the moment the interpreter starts, meaning the malware activates as soon as a developer runs any Python command in that environment.
The Payload: A Relentless Secret Hunter
The malware embedded in version 0.23.3 is a sophisticated three-stage Information Stealer. Once active, it immediately begins harvesting high-value developer secrets from the infected machine:
- Cloud Identity: Steals AWS, Google Cloud, and Azure access tokens.
- DevOps Credentials: Targets SSH private keys,
.git-credentials, and Docker configurations. - Infrastructure Access: Sweeps for Kubernetes service account tokens.
- Application Secrets: Searches for
.envfiles containing database passwords and API keys. - Crypto Wallets: Scans for local wallet data including Bitcoin and Ethereum files.
All harvested data is compressed and exfiltrated to a remote Command-and-Control (C2) server hosted at skyhanni.cloud.
Affected Versions & Recovery
The Elementary-Data team and community members (specifically Crisperik and H-Max) acted within hours to yank the malicious version.
| Package / Image | Compromised Version | Clean Version |
|---|---|---|
| PyPI (Python Package) | 0.23.3 | 0.23.4 or 0.23.2 |
| GHCR (Docker Image) | 0.23.3 | 0.23.4 or 0.23.2 |
| Docker :latest Tag | Digest ending in 634255 | Current :latest is clean |
Export to Sheets
Critical Action Steps:
- Immediate Update: Run
pip install elementary-data==0.23.4. - Full Rotation: If you installed 0.23.3, assume all secrets on that machine are compromised. You must rotate every API key, AWS token, and password stored on that system.
- Check for elementary.pth: Manually inspect your Python
site-packagesdirectory for a file namedelementary.pthand delete it if found.
Defensive Strategy: Hardening Your Pipeline
This attack highlights a growing trend: CI/CD Poisoning. To prevent similar compromises, security practitioners recommend:
- Sanitize GitHub Contexts: Never use
${{ github.event... }}directly in shell scripts. Always use intermediate environment variables. - Pin Your Actions: Instead of using
actions/checkout@v4, use the specific SHA hash (e.g.,actions/checkout@8ade...) to ensure the action itself hasn’t been tampered with. - Network Egress Filtering: Use tools like Harden-Runner to monitor and block unauthorized outbound connections from your GitHub runners. This would have prevented the malware from “calling home” to the C2 server.
FAQs
1. I use Elementary Cloud. Am I affected?
No. This compromise only affected the Open Source CLI package and Docker images hosted on PyPI and GHCR.
2. Is version 0.23.2 safe?
Yes. The attack specifically targeted the 0.23.3 release. Version 0.23.4 was released as a clean “fix” to overwrite the poisoned build.+1
3. How did the hackers get a “Verified” badge on the commit?
They exploited the GitHub Actions Bot. Since the bot is a trusted entity within the repository, any commit it makes is automatically “Verified” by GitHub’s internal PGP keys.
Conclusion: The Supply Chain Arms Race
The elementary-data incident is a stark reminder that even a “Verified” badge on a GitHub release can be faked if the underlying pipeline is insecure. In the 2026 threat landscape, hackers are moving “left” in the development cycle—targeting the automated systems that build our software rather than the developers themselves.
Action Item: Audit your requirements.txt. If you see elementary-data==0.23.3, your credentials have likely been exfiltrated. Update and rotate your keys immediately.
