The developers are urging all developers who installed version 0.23.3 to take the next steps immediately:
1. Check your installed version:
pip show elementary-data | grep Version2. If the version is 0.23.3, uninstall it and replace it with the secure version:
pip uninstall elementary-data
pip install elementary-data==0.23.4In your requirements and lockfiles, pin explicitly to elementary-data==0.23.4.
3. Delete your cache files to avoid any artifacts.
4. Check for the malware’s marker file on any machine where the CLI could have run: If this file is present, the payload executed on that machine.
macOS / Linux: /tmp/.trinny-security-update
Windows: %TEMP%.trinny-security-update5. Rotate any credentials that were accessible from the environment where 0.23.3 ran – dbt profiles, warehouse credentials, cloud provider keys, API tokens, SSH keys, and the contents of any .env files. CI/CD runners are especially exposed because they typically have broad sets of secrets mounted at runtime.
6. Contact your security team to hunt for unauthorized usage of exposed credentials. The relevant IOCs are at the underside of this post.
Over the past decade, supply-chain attacks on open source repositories have turn out to be increasingly common. In some cases, they’ve achieved a series of compromises because the malicious package results in breaches of users and, from there, breaches resulting from the compromise of the users’ environments.
HD Moore, a hacker with greater than 4 many years of experience and the founder and CEO of runZero, said that user-developed repository workflows, akin to GitHub actions, are notorious for hosting vulnerabilities.
It’s “a serious problem for open source projects with open repos,” he said. “It’s really hard to not unintentionally create dangerous workflows that may be exploited by an attacker’s pull request.”
He said this package may be used to ascertain for such vulnerabilities.