The compromise originated from a GitHub Actions script injection vulnerability in a workflow that improperly handled untrusted input from pull request comments. An attacker exploited this flaw to execute arbitrary commands within the CI pipeline, gaining access to the repository's GITHUB_TOKEN. This allowed them to forge a signed commit and trigger the legitimate release pipeline, publishing elementary-data v0.23.3 to PyPI and corresponding container images to GHCR - without modifying the main branch or submitting a pull request.
The malicious package included a .pth file (elementary.pth) that executes automatically on Python interpreter startup. This file deployed a three-stage credential harvesting payload, leveraging layered obfuscation (base64 + XOR/MD5) to evade detection. The final payload collected sensitive data from local files and live cloud APIs, including SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes secrets, developer tokens, and crypto wallets. The data was compressed and exfiltrated via HTTP POST to a remote command-and-control (C2) domain. The same payload was embedded in the compromised GHCR container image, including the :latest tag—impacting environments using unpinned images.