Open source package with 1 million monthly downloads stole user credentials
Source: Ars Technica
Immediate remediation steps
-
Check your installed version
pip show elementary-data | grep Version -
If the version is
0.23.3, uninstall it and install the safe versionpip uninstall elementary-data pip install elementary-data==0.23.4In your
requirements.txtand lockfiles, pin explicitly toelementary-data==0.23.4. -
Delete your cache files to avoid any artifacts.
-
Look for the malware’s marker file on any machine where the CLI may have run. If this file is present, the payload executed on that machine.
- macOS / Linux:
/tmp/.trinny-security-update - Windows:
%TEMP%\.trinny-security-update
- macOS / Linux:
-
Rotate any credentials that were accessible from the environment where
0.23.3ran – dbt profiles, warehouse credentials, cloud provider keys, API tokens, SSH keys, and the contents of any.envfiles. CI/CD runners are especially exposed because they typically have broad sets of secrets mounted at runtime. -
Contact your security team to hunt for unauthorized usage of exposed credentials. The relevant IOCs are listed at the bottom of the incident report:
Security incident report – malicious release of elementary‑oss‑python‑cli v0.23.3.
Background on supply‑chain attacks
Over the past decade, supply‑chain attacks on open‑source repositories have become increasingly common. In many cases, a malicious package leads to breaches of users, which then cascade into compromises of the users’ environments.
Expert commentary
HD Moore, a veteran security researcher and founder/CEO of runZero, notes that user‑developed repository workflows—such as GitHub Actions—are notorious for hosting vulnerabilities.
“It’s a major problem for open‑source projects with open repos. It’s really hard to not accidentally create dangerous workflows that can be exploited by an attacker’s pull request.”
He recommends using the following tool to check for such vulnerabilities:
https://github.com/zizmorcore/zizmor