GitHub Actions Workflow Flaw Leads to Malicious PyPI Package: Elementary Data Incident Analysis

By • min read

<h2>Introduction</h2><p>A recent security incident involving the open-source Python CLI tool <strong>elementary-data</strong> has highlighted the growing risks in CI/CD pipelines. On April 24, attackers exploited a vulnerability in a GitHub Actions workflow to inject malicious code into the package. The compromised version, 0.23.3, was published to PyPI and a tampered Docker image was pushed to the registry. This article details how the attack unfolded, who was affected, and the steps users must take to secure their systems.</p><figure style="margin:20px 0"><img src="https://itsfoss.com/content/images/2026/04/elementary-pypi-cyberattack-banner.png" alt="GitHub Actions Workflow Flaw Leads to Malicious PyPI Package: Elementary Data Incident Analysis" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: itsfoss.com</figcaption></figure><h2 id="incident">The Incident: How Attackers Exploited a GitHub Actions Workflow</h2><p>The breach originated from a critical flaw in one of Elementary Data's <strong>GitHub Actions</strong> workflows. The workflow was configured to accept text from pull request comments and pass it directly into a shell command without proper sanitization. This oversight allowed an attacker to execute arbitrary code simply by posting a malicious comment on a PR.</p><p>At <strong>22:10 UTC on April 24</strong>, the attacker submitted a crafted comment on a pull request. The workflow processed it as a legitimate command, exposing sensitive secrets—including the PyPI publish token and the <code>GITHUB_TOKEN</code>. With these credentials, the attacker created branches and pull requests to stage a release. By <strong>22:20 UTC</strong>, the malicious package <code>elementary-data 0.23.3</code> was live on PyPI. Four minutes later, a compromised Docker image was pushed to the registry.</p><h2 id="scope">Scope of the Compromise: Which Users Are Affected?</h2><p>The impact is limited to users who installed <strong>elementary-data 0.23.3</strong> from PyPI or pulled the malicious Docker image during the attack window. Importantly:</p><ul><li><strong>Elementary Cloud</strong> remains unaffected.</li><li>The <strong>Elementary dbt package</strong> is not compromised.</li><li>All other versions of the CLI are safe.</li></ul><p>However, for those running 0.23.3, the consequences are serious. The malware had access to the same environment variables, tokens, and resources as the legitimate application, potentially exposing sensitive data.</p><h2 id="remediation-steps">Immediate Remediation Steps for Affected Users</h2><h3 id="check-version">1. Check Your Installed Version</h3><p>Run the following command to verify your current version:</p><pre><code>pip show elementary-data | grep Version</code></pre><p>If it shows <code>0.23.3</code>, proceed with the removal steps below.</p><h3 id="remove-malicious">2. Remove the Malicious Version and Install the Clean Version</h3><p>Uninstall the compromised package and install the patched version immediately:</p><pre><code>pip uninstall elementary-data pip install elementary-data==0.23.4</code></pre><p>Also update your <code>requirements.txt</code> or lockfiles to reflect version <code>0.23.4</code> to prevent accidental reinstallation of the old version.</p><h3 id="marker-file">3. Look for the Malware's Marker File</h3><p>The malware leaves a marker file to indicate its presence. Check for the following:</p><figure style="margin:20px 0"><img src="https://feed.itsfoss.com/content/images/size/w30/2026/01/2025-pfp-1-1.jpg" alt="GitHub Actions Workflow Flaw Leads to Malicious PyPI Package: Elementary Data Incident Analysis" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: itsfoss.com</figcaption></figure><ul><li><strong>Linux/macOS:</strong> <code>/tmp/.trinny-security-update</code></li><li><strong>Windows:</strong> <code>%TEMP%\.trinny-security-update</code></li></ul><p>If the file exists, the payload executed on that machine. Its presence means the attacker had remote code execution capabilities in that environment.</p><h3 id="rotate-credentials">4. Rotate All Credentials if Marker Found</h3><p>Immediately rotate every credential that the affected environment had access to—API keys, database passwords, cloud provider tokens, etc. Notify your security team to audit activity logs for any unauthorized actions involving those credentials. Consider this a full security incident requiring thorough investigation.</p><h2 id="response">Elementary Data's Response and Future Precautions</h2><p>Elementary Data acted swiftly after discovering the breach. On April 25, they removed version 0.23.3 from PyPI, GitHub, and the Docker registry. Internally, they decommissioned the vulnerable workflow and audited all remaining GitHub Actions for similar injection flaws. All exposed secrets were regenerated, and the team transitioned to <strong>OIDC authentication</strong> to reduce reliance on long-lived tokens.</p><p>To ensure long-term security, Elementary is collaborating with an Israeli cybersecurity firm to investigate the attack and strengthen their CI/CD defenses. This incident serves as a stark reminder that open-source projects must treat their automation workflows as part of the attack surface.</p><h2>Conclusion</h2><p>The exploitation of a GitHub Actions workflow to push malicious code to PyPI is a wake-up call for the developer community. While the immediate damage is contained to version 0.23.3, the attack vector—unsanitized input in CI/CD pipelines—remains a common vulnerability. Users should apply the remediation steps above and consider adopting <a href="#remediation-steps">the credential rotation procedures</a> as part of their incident response plan. For maintainers, it's critical to audit workflows for shell injection risks and implement least-privilege token policies.</p>