Open source supply chain attacks continue to threaten developers, and a recent incident involving Elementary Data's Python CLI illustrates how a single misconfigured CI/CD pipeline can lead to widespread compromise. On April 24, 2024, an attacker leveraged a vulnerability in a GitHub Actions workflow to push malicious code to PyPI, affecting users of the elementary-data package version 0.23.3. This article answers key questions about the attack, how to detect and mitigate it, and what steps Elementary Data has taken to prevent future incidents.
What happened with Elementary Data's Python CLI package on PyPI?
On April 24, 2024, an attacker successfully injected malicious code into the elementary-data Python package, version 0.23.3, which was published to PyPI. The compromised package was available for download for a short window before the company pulled it. The attacker also pushed a malicious Docker image shortly after. Elementary Data's cloud service, dbt package, and all other CLI versions remained safe. Users who installed version 0.23.3 or pulled the Docker image during the attack period were exposed to potential credential theft and unauthorized access to their environments.
How did the attacker exploit the GitHub Actions workflow?
The attack originated from a flaw in one of Elementary Data's GitHub Actions workflows. The workflow was configured to pass text from a pull request comment directly into a shell command without sanitization. At 22:10 UTC on April 24, an attacker posted a malicious comment on a PR. The workflow executed the comment as code, granting the attacker access to runner secrets, including the PyPI publish token and GITHUB_TOKEN. With those credentials, the attacker created branches and pull requests to stage a release, then triggered the official release workflow. By 22:20 UTC, elementary-data 0.23.3 was live on PyPI.
Which users are affected by this compromise?
Only users who installed elementary-data version 0.23.3 from PyPI are directly affected. Additionally, anyone who pulled the compromised Docker image during the attack window (around April 24-25) is at risk. It is important to note that Elementary Cloud, the Elementary dbt package, and all other versions of the CLI are unaffected. However, for those running version 0.23.3, the exposure is serious because the malware could access any environment variables or secrets accessible to the process, potentially compromising cloud credentials, API keys, and other sensitive data.
How can users check if they have the compromised version?
To determine if your system has the affected package, run the following command in your terminal: pip show elementary-data | grep Version. If the output shows Version: 0.23.3, you have the compromised version. Additionally, the malware leaves behind a marker file that indicates whether the payload executed. Check for /tmp/.trinny-security-update on Linux or macOS, or %TEMP%\.trinny-security-update on Windows. If that file exists, the malicious code ran on that machine.
What steps should affected users take to clean up?
If you discover you have version 0.23.3, immediately uninstall it: pip uninstall elementary-data. Then install the clean version: pip install elementary-data==0.23.4. Update your project's requirements.txt and lockfiles accordingly. Next, check for the marker file mentioned in the detection section. If it exists, rotate every credential that environment had access to—cloud access keys, database passwords, API tokens, etc. Engage your security team to investigate any suspicious activity associated with those credentials. Finally, review recent system logs for unauthorized access or data exfiltration.
What measures did Elementary Data take in response?
Elementary Data acted quickly after discovering the breach. On April 25, they removed version 0.23.3 from PyPI, GitHub, and Docker Hub. They decommissioned the vulnerable workflow and audited all other GitHub Actions for similar injection vulnerabilities. All affected secrets were regenerated, and the company transitioned to OIDC authentication to eliminate long-lived credentials. They are collaborating with an Israeli cybersecurity firm to investigate the incident and strengthen their security posture. This includes implementing stricter input validation, adopting least-privilege tokens, and improving monitoring for suspicious CI/CD activity.