Malicious element-data Release Steals Cloud API Credentials

On Friday, April 25, 2026, attackers published a malicious version of the popular Python package element-data that harvested local and CI/CD environment credentials. The supply-chain attack exploited a script injection vulnerability in a developer-configured GitHub Actions workflow. The compromised package, which facilitates anomaly detection and LLM observability in machine learning systems, averages over 1 million monthly downloads.

Credential Theft and Scope

The malicious release, version 0.23.3, remained live for approximately 12 hours before discovery and removal on April 26. Attackers pushed the tainted release simultaneously to the Python Package Index (PyPI) and the project’s Docker image account. The elementary-data CLI is widely integrated into automated pipelines, giving the rogue code broad access to production secrets.

When executed, the payload systematically scoured the local environment or CI/CD runner for sensitive configuration data.

Target Category	Specific Assets Extracted
Cloud Providers	AWS, Azure, and Google Cloud credentials
Development Keys	API tokens and .ssh directory contents
Configuration	.env file contents and dbt profiles
Infrastructure	Data warehouse access tokens

Attack Execution Path

The breach originated from a malicious pull request that bypassed standard validation. This request exploited a script injection flaw in the project’s GitHub Actions configuration. The vulnerability allowed the attackers to run arbitrary bash scripts within the context of a privileged developer account.

Once inside the execution environment, the attackers extracted PyPI signing keys and account tokens. They used these credentials to publish version 0.23.3. The rogue package was functionally indistinguishable from a legitimate release, mirroring methods seen when the LiteLLM PyPI package was compromised in previous supply-chain incidents.

Required Remediation

The project maintainers removed the package within three hours of discovery, rotated all internal credentials, and patched the underlying GitHub Actions flaw. They subsequently released a safe version, 0.23.4. Other products, including Elementary Cloud and the Elementary dbt package, were unaffected by this specific breach.

If your systems pulled version 0.23.3, you must assume total compromise of any environment-accessible secrets. You should upgrade your installation to pin elementary-data==0.23.4 immediately. Delete local package caches to prevent accidental re-installation of the compromised artifact.

Finally, rotate all API keys, cloud tokens, and warehouse credentials that were present in the affected environments. Search your CI/CD runner logs for unexpected artifacts or marker files to confirm whether the malicious payload executed during the 12-hour exposure window.