Embedded Malicious Code in elementary-data

Q: How to fix?

Avoid using all malicious instances of the elementary-data package.

Threat Intelligence

Attacked

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PYTHON-ELEMENTARYDATA-16316110
published28 Apr 2026
disclosed26 Apr 2026
creditcrisperik

Report a new vulnerability Found a mistake?

Introduced: 26 Apr 2026

New Malicious CWE-506 (opens in a new tab)

How to fix?

Avoid using all malicious instances of the elementary-data package.

Overview

elementary-data is a Data monitoring and lineage

Affected versions of this package are vulnerable to Embedded Malicious Code that is a credential stealer designed to exfiltrate sensitive data from the environment where the CLI is installed or executed. Specifically, the code:

Harvests Secrets: It searches for and collects dbt profiles, data warehouse credentials (e.g., Snowflake, BigQuery), cloud provider keys (AWS, GCP, Azure), API tokens, and SSH keys.
Steals Environment Variables: It scrapes .env files and active environment variables for secrets.
Exfiltrates Data: The gathered credentials are sent to an externally hosted command-and-control (C2) server controlled by the attacker.

Note: Elementary Cloud and the Elementary dbt package were not affected, and no other versions of the CLI were affected.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Embedded Malicious Code Affecting elementary-data package, versions [0.23.3]

Severity