A malicious version of the elementary-data Python package (0.23.3) was published to PyPI on April 24, 2026, via a GitHub Actions script injection attack. The attacker exploited a vulnerability in the project's own CI workflow, used the GITHUB_TOKEN to forge a signed release commit, and triggered the legitimate publishing pipeline — without touching the main branch. The compromised release includes a .pth file that executes a three-stage credential-stealing payload on every Python invocation. The same workflow also pushed a trojaned multi-arch Docker image to GHCR tagged as both 0.23.3 and latest. The payload harvests SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes configs, .env files, crypto wallet keys, and more, exfiltrating everything to an attacker-controlled endpoint.
Table of contents
The Compromised ReleaseThe Docker Image Is Compromised Too — Including :latestThe Payload: A Three-Stage Credential StealerSort: