A malicious version of the elementary-data package, which receives 1.1 million monthly downloads, was pushed to PyPI to distribute infostealer malware targeting developer credentials and cryptocurrency wallets.
The elementary-data Python package on PyPI was compromised in a supply chain attack that exposed thousands of developers to information-stealing malware.
The package, widely used in development environments, received the malicious update without immediate detection. The infostealer payload targeted sensitive data including API keys, authentication tokens, cryptocurrency wallet information, and other credentials stored on compromised systems.
With 1.1 million monthly downloads, elementary-data ranks among the most frequently installed packages on PyPI, making it an attractive target for attackers seeking broad distribution of malware.
Detection and Response
Security researchers identified the compromised version and reported the issue to PyPI maintainers. The malicious package was removed from the repository, but the damage window remained open long enough for the malware to reach an unknown number of installations.
Developers who installed the affected version during the window of compromise should assume their systems may be infected. Recommended actions include rotating all credentials, reviewing account activity for unauthorized access, and checking cryptocurrency wallets for suspicious transactions.
Supply Chain Implications
The incident underscores the vulnerability of package repositories to account takeover attacks. With millions of developers relying on PyPI for dependencies, compromised packages can rapidly propagate malware across the development ecosystem.
PyPI has implemented additional security measures including two-factor authentication requirements and API token security features, but attackers continue to target maintenance accounts with phishing and credential stuffing attacks.
Timeline
The exact window during which the malicious version was available remains unclear. Users should check their installation history for elementary-data versions from the compromise period and update to a verified clean release immediately.
Developers are advised to enable notifications for package updates and maintain strict dependency auditing practices to catch similar supply chain compromises early.
Microsoft has released a patch for a zero-day vulnerability in Windows Defender that could allow attackers to exhaust hard disk space. The flaw was discovered and reported by security researcher NightmareEclipse.
A software defect from 2006 triggered a cascading network failure that knocked out Telstra's national phone service Wednesday morning. The bug, related to daylight savings time processing, created a 'digital domino chain' that locked customers out across the country.
The EU Parliament is advancing legislation that would require tech companies to scan for child sexual abuse material (CSAM), reviving a proposal rejected in March. End-to-end encrypted services like WhatsApp would be exempt from the requirements.
Hackers compromised the Injective Labs SDK repository on GitHub and published a malicious package to npm that steals cryptocurrency wallet private keys and seed phrases from developers.