GitHub Actions Vulnerability Led to Malicious Python Package on PyPI – What You Need to Know

Attack Overview

Open-source software remains a prime target for cyberattacks, with attackers continuously refining their methods to exploit supply chain weaknesses. The latest incident involves the compromise of Elementary Data's open-source Python CLI, where a malicious version was published to PyPI under the package name elementary-data (version 0.23.3). This attack leveraged a flaw in a GitHub Actions workflow, demonstrating how a single misconfiguration can cascade into a serious security breach. Developers who installed the affected version must act quickly to mitigate potential damage.

How the Hijack Happened

Exploiting Workflow Misconfiguration

The attack originated from a vulnerability in one of Elementary's GitHub Actions workflows. The workflow was configured to accept text from a pull request (PR) comment and pass it directly into a shell command without sanitization. This meant an attacker could craft a comment that, when processed, would execute arbitrary code on the runner.

At 22:10 UTC on April 24, the attacker submitted a malicious comment on a legitimate PR. The workflow treated the comment as code and executed it, exposing the runner's secrets—including the PyPI publish token and the GITHUB_TOKEN—to the attacker.

Staging and Publishing Malicious Code

With access to these secrets, the attacker created branches and PRs necessary to trigger a new release. They then invoked Elementary's release workflow, which pushed elementary-data 0.23.3 live on PyPI by 22:20 UTC. Four minutes later, a tainted Docker image was also pushed to the registry. The entire operation was swift, highlighting the speed with which automated workflows can be weaponized.

Scope of the Compromise

Elementary Data's investigation confirmed that only version 0.23.3 of the Python CLI was compromised. The following are not affected:

• Elementary Cloud
• The Elementary dbt package
• All other versions of the CLI

However, for users who did install the malicious version, the exposure was significant. The malware ran with the full permissions of the environment, meaning it could access any credentials, environment variables, or data accessible to that process.

Who Was Affected

Two groups of users are at risk:

1. Python package users who installed elementary-data==0.23.3 from PyPI during the attack window.
2. Docker image users who pulled the compromised image from the registry within that timeframe.

If you are in either group, proceed immediately to the remediation steps below.

Immediate Remediation Steps

Check Your Version

First, verify the installed version of elementary-data:

pip show elementary-data | grep Version

If the output shows 0.23.3, remove it and install the clean release:

pip uninstall elementary-data
pip install elementary-data==0.23.4

Make sure to update your requirements.txt or Pipfile.lock to reflect the new version.

Look for Malware Marker

The malware leaves behind a specific marker file. Check for its presence to determine if the payload executed on your machine:

• Linux/macOS: /tmp/.trinny-security-update
• Windows: %TEMP%\.trinny-security-update

If this file exists, the malicious code ran. In that case:

1. Rotate every credential the environment had access to (API keys, tokens, passwords).
2. Engage your security team to audit for any suspicious activity linked to those credentials.

Lessons Learned and Response

Elementary Data responded swiftly: by April 25 they had pulled version 0.23.3 from PyPI, GitHub, and Docker registries. They also decommissioned the vulnerable workflow, audited all remaining GitHub Actions for similar injection risks, regenerated affected secrets, and transitioned to OIDC-based authentication for future releases.

The company is now collaborating with an Israeli cybersecurity firm to investigate the attack and strengthen defenses. This incident serves as a stark reminder to open-source maintainers to treat every workflow input as untrusted and to adopt principle-of-least-privilege credential management.