- A widely used PyPI package was recently compromised through a malicious update
- The attack leveraged a GitHub Actions workflow to push infostealer code into a release
- Maintainers quickly issued a clean version, rotated credentials and began an external investigation
A popular Python Package Index (PyPI) package has been compromised and used to deliver malware to its users, experts have warned.
A user recently warned the maintainers of the Elementary package that the latest version, 0.23.3, contained “malicious base64 encoded code”. The maintainers responded quickly, confirming the news, releasing a clean update (0.23.4) and notifying other users.
The elementary-data package is an open source data observation tool for the Data Build Tool (dbt). It is mostly used by data engineers and analysts working with data pipelines, and apparently it is quite popular in the dbt ecosystem with more than a million monthly downloads on PyPI.
The article continues below
Insertion of an infostealer
“An attacker opened a PR with malicious code and exploited a script injection vulnerability in one of our GitHub Actions workflows to publish it as release 0.23.3,” the maintainers explained. “Users who ran 0.23.3 or who pulled and ran the affected Docker image should assume that any credentials available to the environment where it was running may have been exposed.”
It was also confirmed that Elementary Cloud and the Elementary dbt package were not affected, nor were other versions of the CLI.
Acting as an infostealer, the malicious code grabbed SSH keys, Git credentials, cloud credentials, various secrets (Kubernetes, Docker, CI), cryptocurrency wallet files, system data and .env files, and developer tokens.
The maintainers added that the payload also reached the project’s Docker image, since the release package workflow that is uploaded to PyPi also pushes to Docker.
In addition to releasing a clean version, the Elementary team also rotated the PyPI release token, GitHub token, Docker registration information, and other secrets. The vulnerable GitHub Action workflow was also removed, while other workflows were thoroughly overhauled.
Wiz was also brought in to investigate and fortify Elementary’s defenses. So far, no one has claimed responsibility for the attack.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
