- A widely used PyPI package was recently compromised via a malicious update
- The attack leveraged a GitHub Actions workflow to include the infostealer’s code in a release.
- Maintainers quickly issued a clean version, rotated credentials, and began an external investigation.
A popular Python Package Index (PyPI) package has been compromised and used to deliver malware to its users, experts have warned.
A user recently warned the maintainers of the Elementary package that the most recent version, 0.23.3, contained “malicious base64-encoded code.” The maintainers soon responded, confirming the news, releasing a clean update (0.23.4) and notifying other users.
The Elemental Data Package is an open source data observability tool for the Data Build Tool (dbt). It is primarily used by data engineers and analytics engineers working with data pipelines, and is apparently quite popular in the dbt ecosystem, with over a million monthly downloads on PyPI.
Article continues below.
Implement an information stealer
“An attacker opened a PR with malicious code and exploited a script injection vulnerability in one of our GitHub Actions workflows to publish it as version 0.23.3,” the maintainers explained. “Users who ran 0.23.3, or who pulled and ran the affected Docker image, should assume that any credentials accessible to the environment where it was run may have been exposed.”
It was also confirmed that Elementary Cloud and the Elementary dbt package were not affected, as were other versions of the CLI.
The malicious code acted as an information stealer, obtaining SSH keys, Git credentials, cloud credentials, various secrets (Kubernetes, Docker, CI), cryptocurrency wallet files, system data and .env files and developer tokens.
The maintainers added that the payload also made it to the project’s Docker image, as the release package workflow that is uploaded to PyPi is also pushed to Docker.
In addition to releasing a clean version, the Elementary team also rotated the PyPI publishing token, GitHub token, Docker registration credentials, and other secrets. The vulnerable GitHub Action workflow was also removed, while other workflows were thoroughly audited.
Wiz was also hired to investigate and strengthen Elementary’s defenses. So far no one has claimed responsibility for the attack.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
