The open-source package elementary-data, with over a million downloads per month, has been compromised. Attackers exploited a vulnerability in a GitHub Actions workflow to steal signing keys and publish a malicious version. Users of version 0.23.3 are advised to rotate their credentials immediately. This will be a familiar phenomenon to developers by now: open-source packages are a popular delivery mechanism for malware.
Last Friday, unknown attackers succeeded in publishing a malicious version of elementary-data on the Python Package Index (PyPI) and as a Docker image. The package, which consists of a CLI for monitoring performance and anomalies in ML systems, has over a million downloads per month. The compromised version bore the version number 0.23.3 and was available for about twelve hours before it was removed.
The attack followed a now-familiar pattern. By exploiting a vulnerability in a GitHub Action, the attackers managed to inject malicious code via a pull request. A bash script then ran within the development environment, granting the attackers access to signing keys and account tokens. They used these to publish a package that was virtually indistinguishable from the official version.
Such attacks have occurred frequently over the past year. Consider a similar compromise via the Nx package on GitHub last summer, which also used an Actions flaw as the attack method. In that incident, attackers also exploited pull requests to undermine the workflow. Research by ReversingLabs shows that the number of malicious open-source packages has risen by 73 percent in 2026. We also recently reported on campaigns such as TeamPCP and GlassWorm, which target development environments in a similar manner.
Sensitive data compromised
The malicious version of elementary-data actively searched for user profiles, warehouse credentials, cloud keys, API tokens, SSH keys, and the contents of .env files. According to the developer, users who have installed version 0.23.3 or are running the related Docker image should assume that their credentials have been compromised.
Developers who have installed version 0.23.3 are asked to remove the package and upgrade to elementary-data==0.23.4. Additionally, check for the malware’s marker file: /tmp/.trinny-security-update on macOS and Linux, or %TEMP%\.trinny-security-update on Windows. CI/CD runners are particularly vulnerable because they typically have broad access to secrets during runtime. The developers have since patched the vulnerability and audited all other GitHub Actions.