Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers

Apr 29, 2026 · 2:01 AM UTC ·10 min read · 0 reactions · 0 comments · 10 views

Attackers exploited a GitHub Actions script injection vulnerability to publish a malicious version of the elementary-data Python CLI (v0.23.3), embedding a credential-stealing backdoor that targeted dbt profiles, cloud provider keys, and SSH secrets from data engineering environments.

Original article

DEV.to (Top)

Read full at DEV.to (Top) →

Opening excerpt (first ~120 words) tap to expand

try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 921082) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } SnykSec for Snyk Posted on Apr 29 • Originally published at snyk.io Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers #supplychainsecurity #python #kubernetes #docker A Python package on PyPI called elementary-data, with over 1 million downloads per month, has suffered a supply chain security attack sourced through a GitHub Actions attack vector.

…

Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).

Anonymous · no account needed

Discussion

0 comments

Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers

Discussion

More from DEV.to (Top)