Supply Chain Attack on Elementary Data: How a GitHub Actions Vulnerability Led to Malicious PyPI Releases

Introduction

Open source software continues to be a prime target for cybercriminals, with attackers constantly probing for weaknesses in development pipelines. A recent incident involving Elementary Data serves as a stark reminder of how a single misconfigured workflow can compromise the entire software supply chain. In this article, we’ll break down what happened, who was affected, and the steps you need to take if you were impacted.

Supply Chain Attack on Elementary Data: How a GitHub Actions Vulnerability Led to Malicious PyPI Releases — Source: itsfoss.com

How the Attack Happened

A Flaw in GitHub Actions

The breach originated from a vulnerability in one of Elementary’s GitHub Actions workflows. The workflow was configured to directly execute text from pull request comments as shell commands. This meant that an attacker could inject malicious commands simply by posting a comment on a PR.

The Timeline of Compromise

22:10 UTC, April 24: An attacker posted a malicious comment on a legitimate pull request.
The workflow ran the comment as code, giving the attacker access to secrets like the PyPI publish token and the GITHUB_TOKEN.
Using those credentials, the attacker created branches and pull requests to stage a release, then triggered Elementary’s release pipeline.
22:20 UTC: The malicious package elementary-data 0.23.3 was published to PyPI.
Four minutes later, a compromised Docker image was pushed to the registry.

Impact and Affected Users

Who Is at Risk?

Only users who installed version 0.23.3 from PyPI or pulled the malicious Docker image during the attack window are affected. The following are not impacted:

Elementary Cloud
The Elementary dbt package
All other CLI versions (except 0.23.3)

Severity of Exposure

If you were running the compromised version, the malware had full access to the environment’s resources. This could lead to data theft, credential compromise, or further infiltration of your systems. Immediate action is required.

Steps for Remediation

Check Your Installed Version

Run the following command in your terminal:

pip show elementary-data | grep Version

If it returns 0.23.3, proceed with cleanup.

Remove the Malicious Package and Install Clean Version

Uninstall the compromised package: pip uninstall elementary-data
Install the patched version: pip install elementary-data==0.23.4
Update all requirements.txt and lockfiles to reference the new version.

Look for a Marker File

The malware leaves a marker file to indicate it has executed. Check for its presence:

Linux/macOS: /tmp/.trinny-security-update
Windows: %TEMP%\.trinny-security-update

If the file exists, the payload ran on that machine. In that case:

Rotate every credential that environment had access to (API keys, database passwords, cloud tokens).
Engage your security team to audit for any suspicious activity using those credentials.

What Elementary Did in Response

Elementary acted swiftly after discovering the breach. On April 25, they:

Removed version 0.23.3 from PyPI, GitHub, and the Docker registry.
Decommissioned the vulnerable GitHub Actions workflow.
Audited all other workflows for similar injection risks.
Regenerated all compromised secrets.
Transitioned to OIDC authentication for improved security.
Engaged an Israeli cybersecurity firm to conduct a full investigation and implement stronger defenses.

Conclusion

This incident highlights the critical importance of hardening CI/CD pipelines. Even a seemingly minor misconfiguration—like allowing direct command execution from comments—can open the door to a full supply chain attack. Developers and security teams must audit their GitHub Actions workflows for injection vulnerabilities, adopt least-privilege access controls, and consider using OIDC to avoid long-lived secrets. By staying vigilant, the open source community can better protect itself from such threats.

Tags: