- A widely used PyPI package was recently compromised by a malicious update
- The attack leveraged a GitHub Actions workflow to insert infostealer code into a release.
- Officials quickly released a clean version, alternated credentials and launched an external investigation.
A popular Python Package Index (PyPI) package has been compromised and used to deliver malware to its users, experts have warned.
A user recently warned the Elementary package maintainers that the latest version, 0.23.3, contained “malicious base64-encoded code.” Officials quickly responded, confirming the news, releasing a clean update (0.23.4), and notifying other users.
The elementary-data package is an open source data observability tool for Data Build Tool (dbt). It’s primarily used by data engineers and analytics engineers working with data pipelines, and apparently it’s quite popular in the dbt ecosystem, with over a million monthly downloads on PyPI.
Article continues below
Deploy an information stealer
“An attacker opened a PR with malicious code and exploited a script injection vulnerability in one of our GitHub Actions workflows to release it as version 0.23.3,” officials explained. “Users who ran version 0.23.3, or who pulled and ran the affected Docker image, should assume that any credentials accessible to the environment in which it ran may have been exposed.”
It was also confirmed that Elementary Cloud and the Elementary dbt package were not affected, nor were other CLI versions.
The malicious code acted as an information thief, stealing SSH keys, Git credentials, cloud credentials, various secrets (Kubernetes, Docker, CI), cryptocurrency wallet files, system data, as well as .env files and developer tokens.
Officials added that the payload also reached the project’s Docker image since the release package workflow that is uploaded to PyPi is also transferred to Docker.
In addition to releasing a clean build, the Elementary team also rotated the PyPI release token, GitHub token, Docker registry credentials, and other secrets. The vulnerable GitHub Action workflow was also removed, while other workflows were thoroughly audited.
Wiz was also brought in to investigate and fortify the elemental’s defenses. So far, no one has claimed responsibility for the attack.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
