We have been routinely seeing open source projects getting hit by malicious actors with varying degrees of sophistication. Developers are often left scrambling to push out fixes in such situations.
As to why they get targeted, their attack surface is wide, maintainer bandwidth is limited, and one bad package can quietly reach thousands of users before anyone even notices.
When something slips through, developers have to yank releases, rotate credentials, and piece together what got out.
We now have a similar situation where Elementary Data's OSS Python CLI was compromised. And if you had the affected version installed, then you have some cleanup to do.
How it happened
The attack came down to a flaw in one of Elementary's GitHub Actions workflows. It was set up in a way where text from a PR comment could be passed directly into a shell command, so whatever the comment said, the runner would execute it.
At 22:10 UTC on April 24, the attacker posted a malicious comment on a pull request. The workflow ran it as code, handing over access to the runner's secrets, including the PyPI publish token and the GITHUB_TOKEN.
With those in hand, they created the branches and pull requests needed to stage a release, then kicked off Elementary's release workflow. By 22:20 UTC, elementary-data 0.23.3 was live on PyPI. A malicious Docker image was pushed four minutes later.
Who got hit
Only users who installed elementary-data 0.23.3 (now removed) from PyPI are affected, as well as anyone who pulled the compromised Docker image during the attack window.
However, Elementary Cloud is unaffected, the Elementary dbt package is unaffected, and every other version of the CLI is unaffected. That said, if you were running 0.23.3, the exposure is serious. The malware had access to anything the environment could reach.
The remedy
First check your installed version first:
pip show elementary-data | grep VersionIf it shows 0.23.3, get rid of it and install the clean version:
pip uninstall elementary-datapip install elementary-data==0.23.4Update your requirements files and lockfiles to reflect that too.
You should also check for a marker file the malware leaves behind. If it's there, the payload ran on that machine:
- Linux/macOS:
/tmp/.trinny-security-update - Windows:
%TEMP%\.trinny-security-update
If you find it, rotate every credential that environment had access to, and get your security team looking for any suspicious activity on those credentials.
On their end, Elementary has already pulled 0.23.3 from PyPI, GitHub, and the Docker registry on April 25.
They also decommissioned the compromised workflow, audited the rest of their GitHub Actions for the same type of vulnerability, regenerated all affected secrets, and moved to OIDC authentication.
They are currently working with an Israeli cybersecurity firm to conduct an investigation and step up their protection against such attacks going forward.
