Security Incident at Elementary Data
Elementary Data reported that GitHub Actions workflows were compromised, resulting in attackers being able to publish a malicious package release elementary-data 0.23.3 in the PyPI directory and GitHub repositories. The release contained malicious code designed to steal confidential information from user systems. The malicious release was also included in the official Docker image project. In the past month, the elementary-data package was downloaded from the PyPI repository more than 1.1 million times.
The malicious release was made public on April 25 at 1:20 (MSK) and was available for download for over 11 hours until 12:45. The attack was executed by submitting a pull request with a specially crafted comment that exploited a vulnerability in the automatically triggered GitHub Action handler. This allowed the attackers to execute shell commands in a continuous integration environment and retrieve the contents of the GITHUB_TOKEN environment variable containing the repository access token. The token was used to create multiple branches in git and prepare a release.
The release pushed out by the attackers contained malicious code encoded in base64 format, which would be activated upon installation. The code had the capability to scan the system and extract sensitive data such as SSH and SSL/TLS keys, environment variables, credentials for cloud platforms like AWS, GCP, Azure, and K8s, cryptocurrency wallet keys, DBMS passwords, command interpreter history, and configuration files related to Git, CI/CD, package managers, and Docker.