Python Package Hacked for Infostealer Malware Distribution
The Malicious Update to the Elementary-Data Package
The elementary-data package, a popular tool in the dbt ecosystem, was recently hit by a malicious update on the Python Package Index (PyPI). An attacker exploited a vulnerability in the project’s workflow and pushed the compromised version, 0.23.3, to the platform.
The Attack and Its Consequences
- The attackers stole sensitive developer data, including SSH keys, Git credentials, cloud credentials, and crypto wallet files.
- The malicious update was designed to create a backdoor in the package that would automatically load a secrets stealer upon execution.
- Users who did not have pinned versions installed inadvertently pulled the backdoored build, exposing their sensitive data to the attackers.
- The researchers from StepSecurity noted that the attackers targeted specific types of data, including system data and environment variables.
According to the report, the same payload also reached the project’s Docker image, as the release package workflow that uploads to PyPI also includes a build-and-push-docker-image job.
The researchers warned that users should be aware of the potential risks associated with the attack and take necessary precautions to protect themselves and their sensitive data.
The Response and Aftermath
- The project maintainer quickly released a clean replacement, version 0.23.4, to mitigate the damage.
- However, users who had already installed the compromised package were left vulnerable, highlighting the importance of monitoring software updates and being cautious when interacting with third-party packages.
The elementary-data package has over 1.1 million monthly downloads, making it a critical component in many databases. The recent attack serves as a reminder of the importance of security in open-source projects and the need for vigilance in monitoring software updates.
About Author
English