Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers

The Python package "elementary-data," a widely used dbt-native data observability tool, experienced a critical supply chain security breach via a GitHub Actions attack vector. The attack leveraged a script injection flaw in the GitHub Actions workflow to publish a malicious version (0.23.3) of the package on PyPI, which included credential-stealing malware. The malware, embedded in a .pth file, activated upon Python interpreter startup, harvesting a wide range of credentials and exfiltrating them to a command-and-control server. The breach, active for approximately eight to ten hours before the package was removed, affected users who installed or updated to the compromised version or used the related Docker image in their CI/CD pipelines. The incident highlighted the vulnerability of GitHub Actions workflows to injection attacks and underscored the importance of securing supply chains by employing best practices such as using short-lived tokens and implementing workflow hardening measures. The Elementary team promptly addressed the issue by removing the malicious package and releasing a clean version (0.23.4), demonstrating a swift response to the security incident.