How to Detect and Recover from a Compromised PyPI Package: A Step-by-Step Security Guide

Introduction

Open-source software supply chain attacks are becoming increasingly common, and the recent compromise of the elementary-data Python CLI is a stark reminder of how quickly a trusted package can turn malicious. An attacker exploited a flaw in a GitHub Actions workflow on the Elementary Data repository, posting a comment that was executed as code. This gave them access to secrets, including the PyPI token, and they published a malicious version (0.23.3) to PyPI. If you have that version installed, your environment may be at risk. This guide walks you through the essential steps to identify, clean up, and secure your systems after such an incident.

What You Need

• Access to your development machine (Linux, macOS, or Windows)
• Python and pip installed
• Ability to run terminal or command prompt
• Permissions to uninstall Python packages and read system temporary directories
• Alertness for any unusual system behavior

Step-by-Step Guide

1. Step 1: Verify Your Installed Version

   First, check which version of elementary-data you have. Open your terminal (Linux/macOS) or command prompt (Windows) and execute:

   pip show elementary-data | grep Version

   If the output shows 0.23.3, your system has the compromised package. If you see a different version (e.g., 0.23.4 or older), you are safe from this specific attack — but you may still want to follow the cleanup steps if you suspect any other exposure.

2. Step 2: Remove the Malicious Package and Install the Clean Version

   If you confirmed version 0.23.3, you must uninstall it immediately. Run these commands in order:

   pip uninstall elementary-data
   pip install elementary-data==0.23.4

   The latest safe release (0.23.4) ensures you have the legitimate code. After installation, verify the version again with pip show elementary-data.

3. Step 3: Check for the Malware’s Marker File

   The attacker’s payload leaves behind a marker file if it executed. This file is not present on clean installations. Look for it in the temporary directory:

   • Linux/macOS: /tmp/.trinny-security-update
   • Windows: %TEMP%\.trinny-security-update

   Use your file explorer or terminal (e.g., ls -la /tmp/.trinny-security-update) to check. If the file exists, the payload ran, and your system was compromised.

4. Step 4: Rotate Every Credential the Environment Had Access To

   If you found the marker file, assume that all secrets, API keys, and tokens that were available in the environment where you ran the compromised package are now exposed. This includes environment variables, cloud provider credentials, database passwords, and CI/CD secrets. Rotate them immediately — generate new keys and revoke the old ones. Notify your security team so they can monitor for anomalous activity using the affected credentials.

5. Step 5: Update Your Dependency Files

   Even after reinstalling, ensure that your requirements.txt, Pipfile.lock, or pyproject.toml (if you use Poetry or similar) no longer reference version 0.23.3. Update all pins to ==0.23.4 or use a minimum version like >=0.23.4, <0.24. Commit these changes and redeploy your applications.

   

6. Step 6: Review Your Own CI/CD Workflows (Optional but Recommended)

   This attack happened because a GitHub Actions workflow processed untrusted input from a pull request comment. To prevent similar incidents in your own repositories:

   • Avoid passing PR comments or issue body text directly into shell commands. Use explicit steps and validate input.
   • Switch to OIDC authentication for cloud provider access instead of static tokens.
   • Audit all workflows for injection vulnerabilities — treat any user-controlled string as potentially malicious.
   • Regularly rotate deployment tokens and use short-lived credentials where possible.

   Elementary Data has decommissioned the compromised workflow, regenerated secrets, and moved to OIDC. You can adopt similar practices to reduce your attack surface.

Tips for Future Prevention

• Always pin your dependencies to exact versions (e.g., elementary-data==0.23.4) and verify hashes if possible.
• Use automated dependency scanning tools (like Dependabot, Snyk, or GitHub's security alerts) to flag known vulnerable versions.
• Monitor your CI/CD pipeline logs for unusual behavior — for example, unexpected branch creations or release triggers.
• Implement approval gates for deployments: require a second person to approve any release workflow execution.
• If you maintain open-source projects, limit the scope of secrets exposed to workflows and never grant write permissions to actions that process untrusted input.
• Consider using a sandboxed environment (e.g., GitHub's pull_request_target with careful context checks) when handling PR comments from forks.

By following these steps and building security into your development pipeline, you can minimize the impact of future supply chain attacks. Stay vigilant, keep your dependencies up-to-date, and always treat automation tokens as high-value assets.