Open Source 2026-04-24 · 1 day ·Credential Theft, Self Propagation

elementary-data PyPI and GHCR releases forged

An attacker exploited a GitHub Actions script-injection flaw in elementary-data's issue-update workflow to forge release state, tag v0.23.3 at an orphan commit, and dispatch the legitimate release pipeline.

Story

Between April 24 and 25, 2026, an attacker forged a release of elementary-data, an open-source data-observability tool used in dbt pipelines, by exploiting a script-injection flaw in one of the project's own GitHub Actions workflows. No maintainer ever pushed the bad version; the project's CI did it on the attacker's behalf.

The entry point was a pull-request comment. According to StepSecurity, which reverse-engineered the incident alongside Elementary's own post-mortem, the project ran an issue-update workflow that interpolated comment text directly into a shell run: block. A crafted comment let the attacker execute arbitrary commands inside the workflow with the repository's GITHUB_TOKEN.

From there, the attacker used that token to create an orphan commit, tag it v0.23.3, and add a large elementary.pth file along with a version bump. Python's .pth files are evaluated by the interpreter at startup, so the payload would fire without any explicit import elementary in the victim's code. The attacker then dispatched the project's normal release workflow against the forged tag. PyPI accepted elementary-data==0.23.3, and GHCR accepted a multi-architecture ghcr.io/elementary-data/elementary image tagged both 0.23.3 and latest, all signed off by the project's own automation.

The payload was a credential stealer of the kind familiar from the broader spring 2026 wave. It walked the host for SSH keys, cloud credentials, Kubernetes config, package-manager tokens, cryptocurrency wallets, and other secrets, then posted an archive named trin.tar.gz to igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud.

Elementary pulled the bad release, rotated affected credentials, and published a clean 0.23.4. The incident is a textbook example of how a single ${{ github.event.comment.body }} interpolated into a shell step can hand an outsider the same publish authority a maintainer holds.

Affected Artifacts

elementary-data

pypi · repository · Source Archive

Observed: 2026-04-24 to 2026-04-25
Compromised Versions: 0.23.3
Fixed: Not listed
Hashes: sha256:31ecc5939de6d24cf60c50d4ca26cf7a8c322db82a8ce4bd122ebd89cf634255
Evidence: distribution: pypi.org/project/elementary-data/0.23.3, file: elementary.pth, domain: igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud, file: trin.tar.gz , +2 more

Clean PyPI versions were identified as 0.23.2 and 0.23.4.

ghcr.io/elementary-data/elementary

ghcr · ghcr.io · repository · Oci Image

Observed: 2026-04-24 to 2026-04-25
Compromised Versions: 0.23.3
Fixed: Not listed
Evidence: distribution: ghcr.io/elementary-data/elementary:0.23.3, distribution: ghcr.io/elementary-data/elementary:latest

Clean container tags included ghcr.io/elementary-data/elementary:0.23.2.
A mutable latest tag or release channel was reported affected; it is recorded as scope rather than a fixed version identifier.

Incident Context

Motive: Credential Theft
Attribution: Group
Cause: CI/CD Exploit
Transitive: Yes
Actor: Third Party

Indicators

External References

Security Incident Report: Malicious release of Elementary OSS Python CLI v0.23.3elementary-data.com
elementary-data Compromised on PyPI and GHCRstepsecurity.io

Source record: oss/attacks/elementary-data/meta.yaml