A popular Python package for monitoring machine-learning systems quietly became a thief. The elementary-data CLI, trusted by data teams worldwide with 1.1 million monthly downloads, released version 0.23.3 laced with malware. It scooped up SSH keys, cloud credentials, API tokens, and even cryptocurrency wallets from developers’ machines.
Attackers didn’t crack passwords. They slipped in through a GitHub Actions flaw. On April 24, 2026, at 22:10 UTC, they posted a crafted comment on a pull request. That comment? Interpolated into a shell script. Boom—arbitrary code ran on the CI runner, grabbing the GITHUB_TOKEN. From there, branches created. Pull requests forged. Release triggered. By 22:20:47, the poisoned package hit PyPI. A Docker image followed minutes later.
The payload hid in elementary.pth. It fired on startup, exfiltrating data to igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud. Developers running it lost dbt profiles, warehouse creds, AWS/GCP/Azure keys—everything in .env files and beyond. CI/CD pipelines? Prime targets, loaded with secrets at runtime. A marker file betrayed execution: /tmp/.trinny-security-update on macOS/Linux, %TEMP%\.trinny-security-update on Windows.
Community watchdogs caught it. GitHub user crisperik opened issue #2205 on April 25. Henri-Maxime Ducoulombier pinged the Slack channel. Elementary’s team sprang into action by 8:14 UTC. Package yanked. Version 0.23.4 pushed clean. Credentials rotated across GitHub, PyPI, Docker. Vulnerable workflows gutted. They even looped in Wiz for a full probe.
“We deeply regret the disruption and concern this incident has caused our community,” the Elementary team wrote in their incident report. No hit to Elementary Cloud or the dbt package. Just that one CLI version.
The GitHub Actions Trap
HD Moore knows these pitfalls cold. The runZero CEO, with four decades hacking, calls user-built repo workflows “a major problem for open source projects with open repos.” Attackers love pull requests here. One bad comment, and secrets spill. His tool zizmor scans for them. This breach? Textbook case. Script injection via PR comment. No account takeover needed.
Elementary fixed it fast—three hours from alert to takedown. But damage lingers for unpinned users. Pip pulls latest by default. Systems rebuilt from safe backups. Secrets rotated. Security teams hunting IOCs.
Steps for victims: Check pip show elementary-data | grep Version. If 0.23.3, uninstall. Install 0.23.4 pinned. Wipe caches. Hunt the marker. Rotate everything—dbt, warehouses, clouds, SSH, .env. CI runners first.
And the Docker fallout. Tags ghcr.io/elementary-data/elementary:0.23.3 and :latest carried the backdoor too. Pulls from those? Assume breach.
Supply Chain Siege Rages On
This isn’t isolated. PyPI and npm bleed daily. Sonatype’s 2026 report tallies 1.2 million malicious packages blocked last year—a 75% jump. Developers yanked 9.8 trillion components. Attackers chase that trust.
Recent hits echo the pattern. BleepingComputer’s coverage details elementary-data’s reach into crypto wallets. StepSecurity analysis pins the workflow exploit precisely. X chatter from @DFIR_Radar urges immediate rotations.
Broader wave: Self-spreading npm worms like CanisterSprawl snag tokens via postinstall hooks (The Hacker News). LiteLLM’s PyPI breach stole LLM API keys. Xinference, Bitwarden CLI—same playbook. State actors like Lazarus weave droppers into credential grabs.
Fixes demand vigilance. Pin versions in requirements.txt, lockfiles. Scan workflows with zizmor or equivalents. Shift to OIDC for CI—no long-lived tokens. Audit PR comments. Tools like Socket, Snyk block at the gate.
Open source thrives on trust. Breaches like this erode it. Elementary bounced back transparent. But for every quick fix, thousands hunt ghosts in their pipelines. Developers: Check your installs. Rotate now. The next poisoned release waits.


WebProNews is an iEntry Publication