How One Comment Hijacked a Python Package with 1M Downloads #cybersecurity #python

A popular Python package was compromised to steal developer secrets — and the attacker didn't need anyone's password to do it. On April 24, 2026, an attacker exploited a GitHub Actions script injection vulnerability in the elementary-data project (1.1M monthly PyPI downloads) to push a malicious version through the project's own release pipeline. The poisoned release contained a .pth file that harvested SSH keys, cloud credentials, Kubernetes secrets, and cryptocurrency wallets on every Python invocation. Community developer crisperik identified the compromise about eight hours later, noting similarities to the litellm supply chain attack from March 2026. The maintainers removed the malicious version and published a clean replacement the same day. Sources: https://www.bleepingcomputer.com/news/security/pypi-package-with-11m-monthly-downloads-hacked-to-push-infostealer/ https://www.stepsecurity.io/blog/elementary-data-compromised-on-pypi-and-ghcr-forged-release-pushed-via-github-actions-script-injection More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday.