elementary-data PyPI package backdoored via GitHub Actions injection
An attacker (account realtungtungtungsahur) exploited a script-injection flaw in the elementary-data release workflow via PR comment, then used the workflow token to forge release commit b1e4b1f3 and trigger the legitimate publishing pipeline. PyPI elementary-data 0.23.3 and ghcr.io/elementary-data/elementary 0.23.3 + latest shipped a ~245 KB obfuscated payload in elementary.pth. Clean 0.23.4 published April 25.
- Detected by
- Snyk
- Ecosystems
- DockerPyPI
- Packages tracked
- 2
What happened
Snyk disclosed a clean script-injection-to-publish chain against elementary-data, the open-source data-observability tool. An attacker operating as realtungtungtungsahur opened a pull request, then exploited a flaw in the release workflow that allowed PR-comment content to be interpreted as a workflow input. From there the workflow's own token was used to forge a release commit (b1e4b1f3) and trigger the legitimate publishing pipeline.
The published artefacts — PyPI elementary-data 0.23.3 and the matching ghcr.io/elementary-data/elementary image at tags 0.23.3 and latest — shipped a roughly 245 KB obfuscated payload embedded in elementary.pth. The .pth mechanism is important: Python loads any .pth file at interpreter start, so the malware ran on every python invocation in environments that had installed elementary-data 0.23.3, regardless of whether it was the imported package or just present in site-packages.
The payload targets data-engineering credentials in particular: dbt profiles, Snowflake / BigQuery / Redshift connection strings, plus AWS / GCP / Azure keys reachable from the environment. Analytics warehouses tend to be very well-credentialed, which makes this kind of host an unusually high-value target.
The exposure window was 8–10 hours before PyPI removed the malicious wheel. Clean 0.23.4 was published on April 25, 2026. If 0.23.3 ran on any host or in any container, rotate every warehouse and cloud credential reachable from that environment, then pull only images built after April 25.
Affected packages (2)
- PyPI
elementary-data0.23.3 - Docker
ghcr.io/elementary-data/elementary0.23.3latest
Impact
- Targets data engineers and analytics warehouses with broad cloud access
- 8-10 hour exposure window before PyPI removal
- Backdoor present in both PyPI wheel and ghcr.io Docker image
- Harvests dbt profiles, Snowflake/BigQuery/Redshift credentials, AWS/GCP/Azure keys
What to do
- 1Upgrade to elementary-data 0.23.4 immediately
- 2Rotate dbt, Snowflake, BigQuery, Redshift, and cloud credentials on any host that ran 0.23.3
- 3Pull clean Docker images built after 25 April 2026
- 4Block
igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloudat egress