1.1 Million Developers Downloaded Malware That Steals SSH Keys and Crypto Wallets
Everyone tells you to "trust but verify" your dependencies. Here's the problem: nobody actually verifies anything.
On April 27, 2026, version 0.23.3 of elementary-data dropped on PyPI. Looked normal. Felt normal. Had 1.1 million monthly downloads worth of developer trust behind it.
It was stealing everything.
<> "Credentials are stolen because developers trust packages from maintainers they've never met" — and this attack proves exactly how naive that trust really is./>
The elementary-data package isn't some random utility. It's a Python CLI tool for data observability — the kind of infrastructure code that lives deep in your monitoring stack, touches your cloud credentials, and runs with elevated permissions. Perfect target.
Here's what got harvested when you ran that innocent pip install:
- SSH keys (goodbye, secure deployments)
- Cloud credentials (AWS, GCP, Azure — the whole buffet)
- User profiles and environment variables
- Cryptocurrency wallets (because why not grab the digital gold too)
- Git repos and CI/CD configs (deleted after theft, naturally)
The attackers weren't amateurs. They paired the poisoned PyPI package with a compromised Docker image for maximum distribution. They understood that data engineers don't just pip install — they containerize everything.
The Elephant in the Room
PyPI's security model is fundamentally broken. No mandatory 2FA. No signing requirements. No meaningful review process. You can push malware to millions of developers faster than you can order coffee.
This isn't even unique. Around the same period, x-interference versions 2.6.0-2.6.2 got compromised with similar credential-harvesting payloads. December 2025 saw 27 malicious npm packages doing the same dance. The Trivy GitHub action got poisoned. Axios had breaches.
Notice the pattern? Supply chain attacks aren't getting smarter — they're getting more frequent because the attack surface keeps growing and the defenses stay static.
What Actually Happens Next
If you're running elementary-data 0.23.3:
1. Downgrade immediately to 0.23.2 or earlier
2. Rotate everything — SSH keys, API tokens, database passwords, your grandmother's Netflix password
3. Scan for persistence because this malware doesn't just steal and leave
4. Monitor network traffic for ongoing exfiltration
But here's the real kicker: how do you know what else is compromised? If attackers can poison a package with 1.1 million downloads, they can poison anything.
Cybersecurity researchers are calling these attacks "sustained and targeted," hitting manufacturing and healthcare especially hard. When your data pipeline gets owned, it's not just your credentials at risk — it's every system those credentials can touch.
The Trust Tax
The market implications are brutal. Thousands of CI/CD pipelines potentially compromised. Enterprise incident response costs. Credential rotation across entire organizations. And the trust erosion in open source infrastructure that powers modern software development.
PyPI needs to grow up. Mandatory 2FA for maintainers. Package signing with tools like Sigstore. Faster takedown procedures. The current model where anyone can push anything to millions of developers is insane.
Until then? Pin your dependencies. Use pip-audit. Run isolated environments. And maybe — just maybe — actually read the code you're trusting with root access to your production systems.
Trust is expensive. Verification is cheaper.
