PyPI package with 1.1M monthly downloads hacked to push infostealer
Summary
A malicious version of the widely used Python package 'elementary-data' was uploaded to the Python Package Index (PyPI). This compromised package, downloaded over 1.1 million times monthly, was designed to steal sensitive developer information and cryptocurrency wallets.
IFF Assessment
FOE
This is bad news for defenders as a popular development tool has been compromised, posing a direct threat to sensitive data and financial assets.
Defender Context
This incident highlights the critical need for robust dependency scanning and software supply chain security practices. Defenders should monitor for compromised packages in their development pipelines and educate developers on verifying the integrity of third-party libraries.