Hijacked PyPI Powerhouse: How a 1.1 Million-Download Data Tool Turned Infostealer

Attackers hijacked the elementary-data PyPI package via GitHub Actions injection, pushing a version with 1.1 million downloads that stole credentials and crypto keys. Fast response limited spread, but unpinned users face cleanup.
Hijacked PyPI Powerhouse: How a 1.1 Million-Download Data Tool Turned Infostealer
Written by Ava Callegari

A popular Python package for monitoring machine-learning systems quietly became a thief. The elementary-data CLI, trusted by data teams worldwide with 1.1 million monthly downloads, released version 0.23.3 laced with malware. It scooped up SSH keys, cloud credentials, API tokens, and even cryptocurrency wallets from developers’ machines.

Attackers didn’t crack passwords. They slipped in through a GitHub Actions flaw. On April 24, 2026, at 22:10 UTC, they posted a crafted comment on a pull request. That comment? Interpolated into a shell script. Boom—arbitrary code ran on the CI runner, grabbing the GITHUB_TOKEN. From there, branches created. Pull requests forged. Release triggered. By 22:20:47, the poisoned package hit PyPI. A Docker image followed minutes later.

The payload hid in elementary.pth. It fired on startup, exfiltrating data to igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud. Developers running it lost dbt profiles, warehouse creds, AWS/GCP/Azure keys—everything in .env files and beyond. CI/CD pipelines? Prime targets, loaded with secrets at runtime. A marker file betrayed execution: /tmp/.trinny-security-update on macOS/Linux, %TEMP%\.trinny-security-update on Windows.

Community watchdogs caught it. GitHub user crisperik opened issue #2205 on April 25. Henri-Maxime Ducoulombier pinged the Slack channel. Elementary’s team sprang into action by 8:14 UTC. Package yanked. Version 0.23.4 pushed clean. Credentials rotated across GitHub, PyPI, Docker. Vulnerable workflows gutted. They even looped in Wiz for a full probe.

“We deeply regret the disruption and concern this incident has caused our community,” the Elementary team wrote in their incident report. No hit to Elementary Cloud or the dbt package. Just that one CLI version.

The GitHub Actions Trap

HD Moore knows these pitfalls cold. The runZero CEO, with four decades hacking, calls user-built repo workflows “a major problem for open source projects with open repos.” Attackers love pull requests here. One bad comment, and secrets spill. His tool zizmor scans for them. This breach? Textbook case. Script injection via PR comment. No account takeover needed.

Elementary fixed it fast—three hours from alert to takedown. But damage lingers for unpinned users. Pip pulls latest by default. Systems rebuilt from safe backups. Secrets rotated. Security teams hunting IOCs.

Steps for victims: Check pip show elementary-data | grep Version. If 0.23.3, uninstall. Install 0.23.4 pinned. Wipe caches. Hunt the marker. Rotate everything—dbt, warehouses, clouds, SSH, .env. CI runners first.

And the Docker fallout. Tags ghcr.io/elementary-data/elementary:0.23.3 and :latest carried the backdoor too. Pulls from those? Assume breach.

Supply Chain Siege Rages On

This isn’t isolated. PyPI and npm bleed daily. Sonatype’s 2026 report tallies 1.2 million malicious packages blocked last year—a 75% jump. Developers yanked 9.8 trillion components. Attackers chase that trust.

Recent hits echo the pattern. BleepingComputer’s coverage details elementary-data’s reach into crypto wallets. StepSecurity analysis pins the workflow exploit precisely. X chatter from @DFIR_Radar urges immediate rotations.

Broader wave: Self-spreading npm worms like CanisterSprawl snag tokens via postinstall hooks (The Hacker News). LiteLLM’s PyPI breach stole LLM API keys. Xinference, Bitwarden CLI—same playbook. State actors like Lazarus weave droppers into credential grabs.

Fixes demand vigilance. Pin versions in requirements.txt, lockfiles. Scan workflows with zizmor or equivalents. Shift to OIDC for CI—no long-lived tokens. Audit PR comments. Tools like Socket, Snyk block at the gate.

Open source thrives on trust. Breaches like this erode it. Elementary bounced back transparent. But for every quick fix, thousands hunt ghosts in their pipelines. Developers: Check your installs. Rotate now. The next poisoned release waits.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us