Feed
CriticalPublished 24 Apr 20262 packages · 3 versions

elementary-data PyPI package backdoored via GitHub Actions injection

Summary

An attacker (account realtungtungtungsahur) exploited a script-injection flaw in the elementary-data release workflow via PR comment, then used the workflow token to forge release commit b1e4b1f3 and trigger the legitimate publishing pipeline. PyPI elementary-data 0.23.3 and ghcr.io/elementary-data/elementary 0.23.3 + latest shipped a ~245 KB obfuscated payload in elementary.pth. Clean 0.23.4 published April 25.

ci-cd-compromisecredential-theftaccount-takeover
Detected by
Snyk
Ecosystems
DockerPyPI
Packages tracked
2

What happened

Snyk disclosed a clean script-injection-to-publish chain against elementary-data, the open-source data-observability tool. An attacker operating as realtungtungtungsahur opened a pull request, then exploited a flaw in the release workflow that allowed PR-comment content to be interpreted as a workflow input. From there the workflow's own token was used to forge a release commit (b1e4b1f3) and trigger the legitimate publishing pipeline.

The published artefacts — PyPI elementary-data 0.23.3 and the matching ghcr.io/elementary-data/elementary image at tags 0.23.3 and latest — shipped a roughly 245 KB obfuscated payload embedded in elementary.pth. The .pth mechanism is important: Python loads any .pth file at interpreter start, so the malware ran on every python invocation in environments that had installed elementary-data 0.23.3, regardless of whether it was the imported package or just present in site-packages.

The payload targets data-engineering credentials in particular: dbt profiles, Snowflake / BigQuery / Redshift connection strings, plus AWS / GCP / Azure keys reachable from the environment. Analytics warehouses tend to be very well-credentialed, which makes this kind of host an unusually high-value target.

The exposure window was 8–10 hours before PyPI removed the malicious wheel. Clean 0.23.4 was published on April 25, 2026. If 0.23.3 ran on any host or in any container, rotate every warehouse and cloud credential reachable from that environment, then pull only images built after April 25.

Affected packages (2)

  • PyPIelementary-data
    0.23.3
  • Dockerghcr.io/elementary-data/elementary
    0.23.3latest

Impact

  • Targets data engineers and analytics warehouses with broad cloud access
  • 8-10 hour exposure window before PyPI removal
  • Backdoor present in both PyPI wheel and ghcr.io Docker image
  • Harvests dbt profiles, Snowflake/BigQuery/Redshift credentials, AWS/GCP/Azure keys

What to do

  1. 1Upgrade to elementary-data 0.23.4 immediately
  2. 2Rotate dbt, Snowflake, BigQuery, Redshift, and cloud credentials on any host that ran 0.23.3
  3. 3Pull clean Docker images built after 25 April 2026
  4. 4Block igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud at egress

References

pypi-2026-04-24-elementary-data