A Python package on PyPI called elementary-data , with over 1 million downloads per month, has suffered a supply chain security attack sourced through a GitHub Actions attack vector. TL;DR Advisory SNYK-PYTHON-ELEMENTARYDATA-16316110 Severity Critical (CVSS v4.0: 9.3) Affected package elementary-data==0.23.3 Clean versions All versions except 0.23.3 ; upgrade to 0.23.4 Attack type Supply chain (GitHub Actions CI/CD injection, then credential-stealing package) Stolen credentials dbt profiles, Snowflake/BigQuery/Redshift creds, AWS/GCP/Azure keys, API tokens, SSH keys, .env files Scope The PyPI CLI package and a Docker Image got compromised; Elementary Cloud and the Elementary dbt package were not affected Detection marker $TMPDIR/.trinny-security-update (Linux/macOS), %TEMP%\.trinny-security-update (Windows) Disclosure April 25–26, 2026 What is elementary-data?…