A malicious version of elementary-data (0.23.3) was published to PyPI and is still listed as the latest release, while the same run pushed a multi-arch container image to GitHub Container Registry at ghcr[.]io/elementary-data/elementary, tagged both 0.23.3 and latest. The PyPI upload occurred on April 24, 2026 at 22:20:47 UTC, and the corresponding GitHub release was created by github-actions[bot], with the release named in a way that signalled no human sign‑off.
The attack exploited a script injection vulnerability in the project's GitHub Actions workflow update_pylon_issue.yml, using the workflow’s GITHUB_TOKEN to forge a signed release commit and dispatch the legitimate publishing pipeline against it without touching master or opening a PR. The compromised container image digest is sha256:31ecc5939de6d24cf60c50d4ca26cf7a8c322db82a8ce4bd122ebd89cf634255, and the latest tag also shares this digest.
Indicators of compromise include the injected elementary[.]pth file and exfiltration details such as the domain igotnofriendsonlineorirl-imgonnakmslmao.skyhanni[.]cloud and header X-Rise-To-The-Trinny: agree.