The developers are urging all developers who have installed version 0.23.3 to immediately take the following steps:
1. Check your installed version:
pip show elementary-data | grep Version2. If the version is 0.23.3, uninstall it and replace it with a secure version:
pip uninstall elementary-data
pip install elementary-data==0.23.4In your requirements and lockfiles, explicitly pin primary-data==0.23.4.
3. Clear your cache files to avoid any corruption.
4. Check the malware’s marker file on any machine where the CLI is running: if this file exists, the payload is executed on that machine.
macOS / Linux: /tmp/.trinny-security-update
Windows: %TEMP%\\.trinny-security-update5. Remove any credentials that were accessible from the environment where 0.23.3 ran – dbt profiles, warehouse credentials, cloud provider keys, API tokens, ssh keys, and the contents of any .env files. CI/CD runners are particularly exposed because they typically contain an extensive set of secrets at runtime.
6. Contact your security team to look for unauthorized use of exposed credentials. The relevant IOCs are at the bottom of this post.
Over the past decade, supply-chain attacks on open source repositories have become increasingly common. In some cases, they have achieved a series of compromises as the malicious package causes a breach of users and from there, the compromise of the users’ environment results in a breach.
HD Moore, a hacker with more than four decades of experience and founder and CEO of RunZero, said that user-developed repository workflows, such as GitHub Actions, are notorious for hosting vulnerabilities.
“This is a big problem for open source projects with open repos,” he said. “It’s really hard not to accidentally create dangerous workflows that can be exploited by an attacker’s pull request.”
He said that this package can be used to investigate such vulnerabilities.
<a href