Supply Chain Attack on Elementary Data: How a GitHub Actions Vulnerability Led to Malicious PyPI Releases
Introduction
Open source software continues to be a prime target for cybercriminals, with attackers constantly probing for weaknesses in development pipelines. A recent incident involving Elementary Data serves as a stark reminder of how a single misconfigured workflow can compromise the entire software supply chain. In this article, we’ll break down what happened, who was affected, and the steps you need to take if you were impacted.
How the Attack Happened
A Flaw in GitHub Actions
The breach originated from a vulnerability in one of Elementary’s GitHub Actions workflows. The workflow was configured to directly execute text from pull request comments as shell commands. This meant that an attacker could inject malicious commands simply by posting a comment on a PR.
The Timeline of Compromise
- 22:10 UTC, April 24: An attacker posted a malicious comment on a legitimate pull request.
- The workflow ran the comment as code, giving the attacker access to secrets like the PyPI publish token and the
GITHUB_TOKEN. - Using those credentials, the attacker created branches and pull requests to stage a release, then triggered Elementary’s release pipeline.
- 22:20 UTC: The malicious package
elementary-data 0.23.3was published to PyPI. - Four minutes later, a compromised Docker image was pushed to the registry.
Impact and Affected Users
Who Is at Risk?
Only users who installed version 0.23.3 from PyPI or pulled the malicious Docker image during the attack window are affected. The following are not impacted:
- Elementary Cloud
- The Elementary dbt package
- All other CLI versions (except 0.23.3)
Severity of Exposure
If you were running the compromised version, the malware had full access to the environment’s resources. This could lead to data theft, credential compromise, or further infiltration of your systems. Immediate action is required.
Steps for Remediation
Check Your Installed Version
Run the following command in your terminal:
pip show elementary-data | grep VersionIf it returns 0.23.3, proceed with cleanup.
Remove the Malicious Package and Install Clean Version
- Uninstall the compromised package:
pip uninstall elementary-data - Install the patched version:
pip install elementary-data==0.23.4 - Update all
requirements.txtand lockfiles to reference the new version.
Look for a Marker File
The malware leaves a marker file to indicate it has executed. Check for its presence:
- Linux/macOS:
/tmp/.trinny-security-update - Windows:
%TEMP%\.trinny-security-update
If the file exists, the payload ran on that machine. In that case:
- Rotate every credential that environment had access to (API keys, database passwords, cloud tokens).
- Engage your security team to audit for any suspicious activity using those credentials.
What Elementary Did in Response
Elementary acted swiftly after discovering the breach. On April 25, they:
- Removed version 0.23.3 from PyPI, GitHub, and the Docker registry.
- Decommissioned the vulnerable GitHub Actions workflow.
- Audited all other workflows for similar injection risks.
- Regenerated all compromised secrets.
- Transitioned to OIDC authentication for improved security.
- Engaged an Israeli cybersecurity firm to conduct a full investigation and implement stronger defenses.
Conclusion
This incident highlights the critical importance of hardening CI/CD pipelines. Even a seemingly minor misconfiguration—like allowing direct command execution from comments—can open the door to a full supply chain attack. Developers and security teams must audit their GitHub Actions workflows for injection vulnerabilities, adopt least-privilege access controls, and consider using OIDC to avoid long-lived secrets. By staying vigilant, the open source community can better protect itself from such threats.