Elementary-data package hit by network compromise
Incident
Summary
Hide ▲
Show ▼
The elementary-data project suffered a malicious release compromise that exposed users of PyPI and GitHub Container Registry to a backdoored package and image. An attacker abused a GitHub Actions script injection flaw to obtain the project’s GITHUB_TOKEN, forge a signed v0.23.3 release, and trigger the legitimate pipeline. The booby-trapped release dropped elementary.pth at startup to steal SSH keys, Git credentials, cloud creds, Kubernetes/Docker/CI secrets, .env files, developer tokens, and crypto wallet files. A clean 0.23.4 release replaced the malicious version, but systems that pulled elementary-data==0.23.3 or the :0.23.3 and :latest images remained compromised.
Related Happenings
Laravel Lang organization hit by network compromise
Incident
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Laravel Lang organization hit by network compromise
IncidentAbout this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware ActivityAbout this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Packagist package.json hook supply chain attack campaign
Campaign
First: 23.05.2026 19:07
Last: 23.05.2026 19:07
Sources 1
About this happening:
A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...
Packagist package.json hook supply chain attack campaign
CampaignAbout this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...
Megalodon GitHub CI/CD supply-chain campaign
Campaign
First: 22.05.2026 14:55
Last: 22.05.2026 14:55
Sources 1
About this happening:
The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
Megalodon GitHub CI/CD supply-chain campaign
CampaignAbout this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
GitHub hit by network compromise
Incident
First: 20.05.2026 07:01
Last: 20.05.2026 07:01
Sources 1
About this happening:
GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...
GitHub hit by network compromise
IncidentAbout this happening: GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...
Latest development: 20.05.2026 13:45
GitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.
Timeline
-
27.04.2026 18:17 2 articles · 1mo ago
Malicious elementary-data 0.23.3 release disclosed
Initial DisclosureA malicious elementary-data 0.23.3 release was disclosed as having abused a GitHub Actions script injection flaw in the project’s release workflow, used the exposed GITHUB_TOKEN to forge a signed v0.23.3 tag, and published backdoored artifacts to PyPI and GitHub Container Registry. The package and Docker image carried elementary.pth to steal SSH keys, Git credentials, cloud creds, Kubernetes/Docker/CI secrets, .env files, developer tokens, and cryptocurrency wallet files, while a clean elementary-data 0.23.4 replacement was pushed and users of the compromised release and images were told to rotate secrets and restore from a known safe point.
Show sources
- PyPI package with 1.1M monthly downloads hacked to push infostealer — www.bleepingcomputer.com — 27.04.2026 18:17
- PyPI package with 1.1M monthly downloads hacked to push infostealer — www.bleepingcomputer.com — 27.04.2026 18:17