A malicious version of the elementary-data package, which receives 1.1 million monthly downloads, was pushed to PyPI to distribute infostealer malware targeting developer credentials and cryptocurrency wallets.
The elementary-data Python package on PyPI was compromised in a supply chain attack that exposed thousands of developers to information-stealing malware.
The package, widely used in development environments, received the malicious update without immediate detection. The infostealer payload targeted sensitive data including API keys, authentication tokens, cryptocurrency wallet information, and other credentials stored on compromised systems.
With 1.1 million monthly downloads, elementary-data ranks among the most frequently installed packages on PyPI, making it an attractive target for attackers seeking broad distribution of malware.
Detection and Response
Security researchers identified the compromised version and reported the issue to PyPI maintainers. The malicious package was removed from the repository, but the damage window remained open long enough for the malware to reach an unknown number of installations.
Developers who installed the affected version during the window of compromise should assume their systems may be infected. Recommended actions include rotating all credentials, reviewing account activity for unauthorized access, and checking cryptocurrency wallets for suspicious transactions.
Supply Chain Implications
The incident underscores the vulnerability of package repositories to account takeover attacks. With millions of developers relying on PyPI for dependencies, compromised packages can rapidly propagate malware across the development ecosystem.
PyPI has implemented additional security measures including two-factor authentication requirements and API token security features, but attackers continue to target maintenance accounts with phishing and credential stuffing attacks.
Timeline
The exact window during which the malicious version was available remains unclear. Users should check their installation history for elementary-data versions from the compromise period and update to a verified clean release immediately.
Developers are advised to enable notifications for package updates and maintain strict dependency auditing practices to catch similar supply chain compromises early.
Partnered Health, one of Australia's largest healthcare providers, has disclosed a cyber-attack affecting 21 clinics across Sydney, Melbourne, and Canberra. Personal information and medical records were compromised in the breach.
Security firm Intruder has developed an AI-powered system that automatically identifies previously unknown software vulnerabilities by combining code analysis with large language models. The tool already discovered and exploited a WordPress plugin zero-day.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.