Elementary Data Compromised in Supply Chain Attack (Campaign)

A malicious supply-chain compromise exploited a GitHub Actions script injection to steal the repository GITHUB_TOKEN, publish a trojanized PyPI package (elementary-data v0.23.3) and a compromised GHCR image. The package included an autostart .pth that executed a three-stage obfuscated credential harvester to collect SSH keys, cloud credentials (AWS/GCP/Azure), Kubernetes secrets, developer tokens, and crypto wallets, then compressed and exfiltrated the data via HTTP POST to a remote C2, impacting consumers of the package and unpinned container images.