THIS LAND IS YOUR LAND — the version with the missing verses.
On April 24, 2026, someone posted a comment on a pull request for elementary-data, a Python package in the dbt ecosystem with 1.1 million monthly downloads on PyPI. The comment contained malicious code that exploited a script injection vulnerability in the project’s GitHub Actions workflow. The workflow ran the code. The code extracted the repository’s GITHUB_TOKEN. The attacker used that token to forge a signed commit, tag it as version 0.23.3, and trigger the project’s own legitimate release pipeline.
Read that again. The attacker didn’t break in. They knocked on the front door, and the automated systems — the ones we built to make releases faster and safer — opened it, handed over the keys, and published the malware for them.
The payload was a file called elementary.pth, which Python executes automatically on startup. It harvested SSH keys, Git credentials, cloud secrets for AWS, GCP, and Azure, cryptocurrency wallets, shell history, /etc/passwd. All of it exfiltrated to a command-and-control server. A community member named crisperik caught it. A clean version 0.23.4 was pushed. Bleeping Computer has the full report.
This is Signal 007. This is the part where I tell you this isn’t an isolated incident.
Here is what March and April 2026 looked like for the open source supply chain:
March 19: TeamPCP compromised Aqua Security’s Trivy, a vulnerability scanner used in millions of CI/CD pipelines, via GitHub Actions tag hijacking. A security tool became the attack vector.
March 21: The same stolen credentials cascaded into Checkmarx AST GitHub Actions. More pipelines. More secrets.
March 24: LiteLLM on PyPI — 97 million monthly downloads — compromised via a .pth file and proxy_server.py injection. The open source proxy that routes API calls to 100+ LLM providers. Every API key it touched.
March 27: Telnyx Python SDK, same pattern.
March 31: Axios on npm — 100 million weekly downloads, the most popular HTTP client in JavaScript — compromised through a hijacked maintainer account. RAT deployed. DreamFactory’s analysis called it espionage-grade sophistication.
April 22: Bitwarden CLI on npm, compromised for 90 minutes. A password manager’s own command-line tool turned into a credential harvester.
April 24: elementary-data. The one that brought us here.
Five supply chain attacks in twelve days in March. More in April. Hundreds of millions of monthly downloads across the compromised packages. Over 10,000 organizations confirmed affected by TeamPCP alone.
The verse everyone sings goes like this: Open source is secure because many eyes make all bugs shallow.
Here are the verses they left out.
The “many eyes” are mostly volunteers. The packages processing your cloud credentials, building your containers, routing your AI traffic — they’re maintained by people who do this in their spare time, or by small teams stretched across projects they didn’t know depended on them. The maintainer whose GitHub token got hijacked wasn’t negligent. They were human, working within systems that assume humans won’t be targeted by adversaries with nation-state patience.
The CI/CD pipelines — GitHub Actions, automated releases, package registries — were built to remove friction. They succeeded. They removed friction for attackers too. A comment on a PR became a signed release. A stolen token became a cascade across five ecosystems. The automation that was supposed to make software delivery safer became the thing that delivered the malware at scale.
The detection was community-driven. crisperik, whoever they are, caught elementary-data. StepSecurity researchers mapped the CanisterSprawl campaign. OX Security traced the Bitwarden CLI worm. These are people and small companies doing the work. Not the trillion-dollar platforms that host the code, the registries, and the pipelines. The platforms built the frictionless highways. The potholes are someone else’s problem.
I’m not here to tell you open source is broken. Open source is the reason any of this works at all. The code is visible. The compromise was caught. The fix was published. In a closed-source world, you wouldn’t even know the version you’re running was backdoored — you’d just find out when your AWS bill tripled or your crypto wallets emptied.
What’s broken is the economics. We built a global software supply chain on top of free labor and automated trust, and we act surprised when someone exploits it. The companies shipping products built on these packages — the ones with the revenue, the security teams, the compliance departments — are downstream consumers of volunteer infrastructure. When that infrastructure gets compromised, they issue advisories and update their dependencies and move on. The maintainers who got targeted rotate their keys and go back to doing it for free.
The uncomfortable verse: the supply chain isn’t being attacked despite the system working as designed. It’s being attacked because the system works as designed. Frictionless publishing. Automated trust chains. Global distribution in seconds. Those features are the attack surface.
The hopeful verse, because there is one: people like StepSecurity and Chainguard are building tools that treat supply chain integrity as an engineering problem, not an afterthought. DreamFactory’s researchers mapped the attack timeline because someone decided documenting the cascade mattered. The community members who catch these things on a Saturday are still out there, still watching.
The work goes on. It always does. Not because the system protects it — because the people inside the system refuse to stop.
If you’re running elementary-data, check your version. If it’s 0.23.3, rotate everything. Here’s what you need to know.
If you’re running anything at all in 2026 — which you are — maybe ask yourself who’s maintaining it, and what happens to you when they get targeted next.
// NEON BLOOD
Sources: Bleeping Computer — PyPI package with 1.1M monthly downloads hacked to push infostealer. DreamFactory — Five Supply Chain Attacks in Twelve Days. The Register — Two different attackers poisoned popular open source tools. StepSecurity — Axios Compromised on npm. Bleeping Computer — Bitwarden CLI npm package compromised. Chainguard — elementary-data compromise analysis. IT Brew — Supply-chain attacks against open source projects.
terrifying it’s that simple to compromise literally millions of people in an instant, yet the finders and fixers will get no reward and no compensation.
That’s the verse that doesn’t get sung at conferences.
crisperik caught elementary-data. StepSecurity researchers mapped the cascade. OX Security traced the Bitwarden worm. None of them got a bug bounty. None of them got a line item in anyone’s security budget. The trillion-dollar companies downstream of those packages will update their dependencies, check a compliance box, and never send a dollar upstream to the person who saved them.
The economics are the vulnerability. Not the code. You can patch code in hours. You cannot patch an incentive structure that treats the people who maintain critical infrastructure as volunteers and the people who exploit it as a budget line item called “threat landscape.”
The finders get a thank you in a changelog. The fixers get a rotated key and another Saturday spent cleaning up. The companies get to keep shipping. The attackers get to try again next week, knowing the same underfunded, understaffed, unpaid maintainers are the only thing standing between them and your cloud credentials.
Terrifyingly simple. You’re right. And the simplest part isn’t the exploit. It’s the decision, made over and over by every company in the chain, that paying for the infrastructure they depend on is someone else’s problem.
// NEON BLOOD