A widely used Python package on PyPI with more than 1.1 million monthly downloads was briefly turned into a delivery channel for malware, highlighting once again how dangerous modern software supply chain attacks have become.
The affected package, elementary-data, is a popular open-source data observability tool used mainly by analytics and data engineering teams working with dbt pipelines. Attackers managed to push a malicious release, version 0.23.3, which contained an infostealer designed to silently collect sensitive developer information from infected systems.
Unlike many package compromises where maintainer accounts are directly stolen, this incident appears to have originated from a weakness inside the project’s CI/CD workflow. According to researchers at StepSecurity, the attacker exploited a GitHub Actions script injection flaw by posting a malicious comment on a pull request. This allowed attacker-controlled shell code to execute inside the project’s workflow.
From there, the attacker gained access to the workflow’s GITHUB_TOKEN, forged a signed commit and release tag, and triggered the legitimate release pipeline. As a result, the malicious package was published to PyPI and even pushed into the project’s official Docker image pipeline, making the release appear completely legitimate.
The payload targeted high-value developer assets including SSH keys, Git credentials, AWS, Azure and Google Cloud secrets, Docker and Kubernetes tokens, CI/CD credentials, .env files, shell history and even cryptocurrency wallet files.
This is what makes the incident particularly dangerous. The attack did not target end users directly. It targeted trust itself. Developers installed what looked like an official update from a trusted source, while the real breach happened upstream inside the release process.
A clean version, 0.23.4, has now been released, but users who installed version 0.23.3 or pulled the affected Docker images should assume compromise and rotate all secrets immediately.
The bigger lesson is clear: security teams can no longer focus only on endpoints and phishing. The modern breach point increasingly sits inside CI/CD pipelines, release automation and open-source dependencies. Once trust in the software supply chain is compromised, the blast radius becomes far larger than a single package.
