Attackers Push Malicious Elementary CLI Release via GitHub Actions
Attackers used a script-injection flaw in Elementary’s GitHub Actions to publish a malicious 0.23.3 CLI to PyPI and Docker that harvested credentials, SSH keys and crypto wallets.
Attackers injected malicious code into the Elementary Python CLI project’s release pipeline and published a tampered 0.23.3 package to PyPI and a Docker image in the project’s registry. The compromised package collected secrets and sensitive files from any environment where it ran.
Security researchers at StepSecurity found the attackers exploited a script-injection vulnerability in a GitHub Actions workflow used by the project. The workflow’s GITHUB_TOKEN was used to forge a signed release commit and push the malicious build through the normal release process.
The released package included a .pth file that executed when the CLI started. That file ran code that searched for and exfiltrated a range of files and credentials from affected systems.
Analysis of the payload shows it collected SSH private keys, cloud provider credentials for AWS, GCP and Azure, CI/CD secrets, container orchestration data, system information such as passwords and shell history, and cryptocurrency wallet files for Bitcoin, Litecoin, Monero and Ripple.
Project maintainers removed the malicious 0.23.3 release about 12 hours after it appeared and published a patched release, version 0.23.4. They confirmed other parts of the project, including Elementary Cloud, the Elementary dbt package and earlier CLI versions, were not affected.
In a post describing the incident, developers advised anyone who installed version 0.23.3 to assume credentials accessible to the environment where the CLI ran may have been exposed. They instructed users to check their installed CLI version, uninstall the compromised package if present, replace it with 0.23.4, clear caches and search for the malware’s marker file on any machine where the CLI ran. If the marker file is found, the group warned the payload executed on that host and recommended rotating dbt profiles, cloud keys, API tokens, SSH keys and any .env file contents that may have been accessible.
The team noted CI/CD runners are at elevated risk because they commonly have broad sets of secrets mounted at runtime. In response to the incident, maintainers removed the vulnerable GitHub Actions workflow, tightened release permissions and audited other workflows across the organization to identify and fix similar script-injection issues.
Users were urged to verify installed versions and follow the published remediation steps to limit further exposure.
