Urgent Security Advisory: Element-Data CLI Compromised
A popular open source package with over one million monthly downloads has been compromised in a sophisticated supply chain attack. The malicious package, element-data version 0.23.3, was published to PyPI and Docker Hub, stealing user credentials and sensitive keys.
Attackers exploited a vulnerability in the developers' account workflow to gain access to signing keys and other sensitive information. They then pushed the backdoored version, which ran a credential-harvesting routine on any system where it was installed or executed.
Quotes from Developers
“Users who installed 0.23.3, or who pulled and ran the affected Docker image, should assume that any credentials accessible to the environment where it ran may have been exposed,” the Elementary Cloud team wrote in a security advisory.
“We urge all users to treat their environments as compromised and rotate all secrets, tokens, and keys immediately,” added the team.
Background: What Happened?
Element-data is a command-line interface used to monitor performance and anomalies in machine-learning systems. It is maintained by the Elementary startup and is widely adopted in MLOps workflows.
On Friday, unknown attackers exploited a vulnerability in the developers' account workflow. This gave them access to the project’s signing keys, enabling them to sign and publish malicious releases. The backdoored version 0.23.3 was pushed to the Python Package Index (PyPI) and Docker image accounts.
When run, the malicious package scavenged systems for:
- User profiles
- Warehouse credentials
- Cloud provider keys
- API tokens
- SSH keys
The malicious version remained available for about 12 hours before being removed on Saturday. Elementary Cloud, the Elementary dbt package, and all other CLI versions were not affected.
What This Means for Users
Any user who installed or ran version 0.23.3 must assume their credentials are compromised. This includes not only the machine where the package was executed but any services accessible from that environment.
Immediate actions required:
- Rotate all cloud provider keys, API tokens, and SSH keys.
- Audit user profiles and permissions for unauthorized changes.
- Review warehouse and database access logs for suspicious activity.
- Consider the affected environment fully compromised and rebuild if possible.
Broader Security Implications
This incident highlights a growing trend of attackers targeting open source supply chains. By exploiting account vulnerabilities rather than code flaws, adversaries can inject malicious code without raising immediate alarms.
“The use of signing keys in this attack is particularly concerning,” said security researcher Dr. Anna Liu. “It allowed the malicious package to appear legitimate, bypassing typical integrity checks.”
Organizations should enforce multi-factor authentication on all developer accounts and implement stricter controls on signing keys. Continuous monitoring of package registry changes is also recommended.
Timeline of Events
- Friday: Attackers exploit developer account vulnerability; push malicious element-data 0.23.3 to PyPI and Docker.
- Saturday: Elementary team detects and removes the malicious package; security advisory issued.
- Ongoing: Users urged to rotate credentials and assume compromise.
For detailed technical analysis, see the full advisory from Elementary. (Jump to Background)
This is a developing story. Check back for updates.