{
  "title": "elementary-data PyPI and GHCR GitHub Actions Compromise",
  "summary": "A malicious `elementary-data==0.23.3` release was pushed to PyPI and GHCR after attackers exploited a GitHub Actions script-injection path, adding an interpreter-startup `.pth` infostealer.",
  "date": "2026-04-25",
  "severity": "critical",
  "tags": [
    "pypi",
    "github-actions",
    "ghcr",
    "supply-chain",
    "credential-theft"
  ],
  "sources_count": 5,
  "indicators": {
    "slug": "elementary-data-pypi-ghcr-compromise",
    "since": "2026-04-24T22:20:47Z",
    "until": "2026-04-28T00:00:00Z",
    "ecosystem": "pypi, python, container pypi github container registry",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [
      "elementary-data"
    ],
    "versions": [
      "0.23.3",
      "elementary-data==0.23.3",
      "ghcr.io/elementary-data/elementary:0.23.3",
      "ghcr.io/elementary-data/elementary:latest"
    ],
    "affectedVersions": [],
    "fixedVersions": [
      "0.23.4"
    ],
    "files": [
      "elementary.pth",
      "trin.tar.gz",
      "$TMPDIR/.trinny-security-update"
    ],
    "paths": [],
    "services": [],
    "domains": [
      "igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud",
      "trin.tar.gz"
    ],
    "urls": [],
    "ips": [],
    "hashes": [
      "sha256:31ecc5939de6d24cf60c50d4ca26cf7a8c322db82a8ce4bd122ebd89cf634255",
      "sha256:b3bbfafde1a0db3a4d47e70eb0eb2ca19daef4a19410154a71abee567b35d3d9",
      "31ecc5939de6d24cf60c50d4ca26cf7a8c322db82a8ce4bd122ebd89cf634255",
      "b3bbfafde1a0db3a4d47e70eb0eb2ca19daef4a19410154a71abee567b35d3d9"
    ],
    "processPatterns": [
      "Python startup executes `elementary.pth`"
    ],
    "networkPatterns": [
      "egress related to elementary-data 0.23.3 package or GHCR image"
    ],
    "telemetrySelectors": []
  }
}