Find notable cyber news and cases, enriched with sources, timelines, and signals.

Elementary-data package hit by network compromise

Incident
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The elementary-data project suffered a malicious release compromise that exposed users of PyPI and GitHub Container Registry to a backdoored package and image. An attacker abused a GitHub Actions script injection flaw to obtain the project’s GITHUB_TOKEN, forge a signed v0.23.3 release, and trigger the legitimate pipeline. The booby-trapped release dropped elementary.pth at startup to steal SSH keys, Git credentials, cloud creds, Kubernetes/Docker/CI secrets, .env files, developer tokens, and crypto wallet files. A clean 0.23.4 release replaced the malicious version, but systems that pulled elementary-data==0.23.3 or the :0.23.3 and :latest images remained compromised.

Related Happenings

Operation Navy Ghost PyPI supply-chain campaign

Campaign
H score26 First: 01.07.2026 00:02 Last: 01.07.2026 00:02 Sources 1

About this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...

Codfish/semantic-release-action hit by network compromise

Incident
H score21 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...

GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows

Security Tool/Service
H score11 First: 23.06.2026 17:22 Last: 23.06.2026 17:22 Sources 1

About this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...

AUR package-hijacking campaign delivering atomic-lockfile

Campaign
H score11 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
H score3 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...

Timeline

  1. 27.04.2026 18:17 2 articles · 2mo ago

    Malicious elementary-data 0.23.3 release disclosed

    Initial Disclosure

    A malicious elementary-data 0.23.3 release was disclosed as having abused a GitHub Actions script injection flaw in the project’s release workflow, used the exposed GITHUB_TOKEN to forge a signed v0.23.3 tag, and published backdoored artifacts to PyPI and GitHub Container Registry. The package and Docker image carried elementary.pth to steal SSH keys, Git credentials, cloud creds, Kubernetes/Docker/CI secrets, .env files, developer tokens, and cryptocurrency wallet files, while a clean elementary-data 0.23.4 replacement was pushed and users of the compromised release and images were told to rotate secrets and restore from a known safe point.

    Show sources