Attention all developers: if you have version 0.23.3 of elementary-data installed, take action now. Follow these steps:
- First, check your installed version by running:
- If it shows 0.23.3, uninstall it. Replace it with a safer version using:
- Make sure to specify elementary-data==0.23.4 in your requirements and lockfiles.
- Clear your cache files to remove any leftovers from the old version.
- Look for a malware marker file on any machine that ran the CLI. If found, your machine could be at risk:
- macOS / Linux:
/tmp/.trinny-security-update - Windows:
%TEMP%\\.trinny-security-update - Update all credentials that were accessible where 0.23.3 ran. This includes dbt profiles, cloud keys, API tokens, and SSH keys. CI/CD runners should be prioritized, as they often have access to many secrets.
- Notify your security team and look for any unauthorized use of exposed credentials. More details on related indicators of compromise (IOCs) can be found here.
pip show elementary-data | grep Version
pip uninstall elementary-data
pip install elementary-data==0.23.4
In recent years, supply-chain attacks on open-source software have surged. Such attacks can lead to widespread issues, as they often compromise multiple layers, impacting many users. A startling statistic shows that nearly 80% of organizations experienced a supply-chain attack in the last two years alone.
HD Moore, a hacker with extensive experience and the founder of runZero, emphasizes that workflows on platforms like GitHub can be especially vulnerable. He states, “It’s really tough to avoid creating exploitable workflows with open repositories.”
To help identify such vulnerabilities, he recommends this package designed to enhance security checks for developers. Staying informed and proactive is key in this constantly evolving landscape of cybersecurity.
For developers, recognizing threats in open-source projects and enhancing their development practices is critical. Engaging in community discussions and keeping abreast of security updates are just a few steps toward safeguarding sensitive information.
