Python Supply Chain Attack: 1M Developer Credentials Stolen

A Python supply chain attack targeting element-data — a package (a reusable software module developers install via the command line to add capabilities to their projects) trusted by over 1 million developers every month — silently modified the tool to steal developer credentials, running undetected for 12 hours. That same month, the security company whose scanning tools are supposed to catch exactly this kind of attack was itself compromised twice in 40 days. Together, these incidents expose a widening blindspot: the infrastructure developers trust most is increasingly the infrastructure attackers exploit first.

12 Hours to Drain 1 Million Developer Environments

element-data is a command-line monitoring tool for Python and machine learning (ML) workflows — the kind of package a data engineer installs once and forgets about, because it quietly does its job in the background. In April 2026, version 0.23.3 of element-data quietly started doing a very different job.

The malicious release was engineered to silently exfiltrate credentials from any environment where it ran:

• SSH keys — the cryptographic credentials (unforgeable digital keys) used to connect to servers without typing a password
• API tokens — the secret authorization codes that services like GitHub, AWS, and OpenAI use to verify application identity when connecting programmatically
• Cloud provider credentials — the master access keys for AWS, Google Cloud, or Azure accounts, capable of spinning up infrastructure, reading production databases, or draining billing accounts

The attack window lasted exactly 12 hours before the malicious version was detected and removed. In that window, automated exfiltration tools can sweep tens of thousands of developer environments — CI/CD pipelines (the automated systems that build, test, and deploy software), staging servers, and developer laptops — without triggering a single alert in most standard security setups.

The element-data maintainers confirmed the breach publicly:

"Users who installed 0.23.3, or who pulled and ran the affected Docker image, should assume that any credentials accessible to the environment where it ran may have been exposed."

A Docker image is a portable software container — a packaged environment developers use to run applications consistently across different machines. If your team pulled the compromised Docker image during that 12-hour window, every credential stored in that container's environment is potentially in the hands of the attacker. "Assume exposed" is not hedging — it is the only rational response.

Checkmarx Was Breached Twice in 40 Days — by a Tool That Scans for Breaches

Checkmarx produces software composition analysis (SCA) tools — scanners that check code repositories for compromised packages before they reach production. In March–April 2026, Checkmarx itself became the target of a supply chain campaign spanning two separate breaches over 40 days.

The attack unfolded in stages:

1. Stage 1 — Trivy compromised: Attackers first compromised the GitHub account for Trivy, a widely-used open-source vulnerability scanner (a tool that audits container images and source code for known security weaknesses). Trivy's established reputation made its account a trusted launchpad.
2. Stage 2 — Checkmarx targeted: The compromised Trivy identity was then used to execute a second attack directly targeting Checkmarx's supply chain — weaponizing one security tool's credibility to breach another security vendor's infrastructure within the same 40-day window.

This attack pattern is particularly dangerous because it exploits the implicit trust relationships in the security tooling ecosystem. A notification from a legitimate-looking Trivy account doesn't trigger the same skepticism as a cold phishing email. Attackers studied the trust graph and moved along its strongest edges.

For enterprises running Checkmarx products: any security audit report generated during March–April 2026 should be treated with scrutiny. An attacker with access to Checkmarx's pipeline potentially had visibility into vulnerability data from hundreds of downstream customers — the security reports themselves may have been read by the people they were meant to expose.

34 Universities, Hundreds of Hijacked Subdomains

Supply chain attacks are not limited to software packages. A parallel campaign has been exploiting a different kind of trusted infrastructure: academic domain names.

Attackers compromised abandoned or poorly maintained subdomains belonging to 34+ prestigious institutions, including UC Berkeley, Columbia University, and Washington University in St. Louis. Hundreds of subdomains across these universities have been weaponized to serve:

• Fake malware warning pages (social engineering tactics to push users into installing actual malware)
• Explicit content (exploiting institutional domain trust to bypass corporate email and content filters)
• Phishing infrastructure that leverages .edu domain credibility to evade security scanning tools

The reason this works: *.columbia.edu or *.berkeley.edu domains bypass the skepticism that corporate security policies apply to unknown domains. A DNS record (the internet's address book entry) pointing a forgotten university subdomain to attacker-controlled infrastructure is invisible to institutional monitoring — until someone notices the subdomain is serving content the university definitely did not authorize.

This is a DNS housekeeping failure (the organizational practice of decommissioning and auditing subdomains no longer in active use), not sophisticated cryptographic exploitation. The attack surface is institutional neglect of forgotten digital real estate. The domain names do the heavy lifting.

Microsoft's Emergency Patch: Zero Credentials Required for Root Access

While supply chain attacks dominated the month, Microsoft released an emergency security patch for ASP.NET Core (Microsoft's cross-platform framework for building web applications that run on Linux, macOS, and Windows). The vulnerability — tracked as CVE-2026-40372 — affects all versions from 10.0.0 through 10.0.6.

The attack scenario requires nothing from the attacker beyond a network connection to the affected service:

• An unauthenticated attacker — someone with no credentials, no account, and no prior access — can forge authentication tokens to impersonate any user
• Successful exploitation grants SYSTEM-level privileges on Linux and macOS systems, equivalent to full root access — the highest privilege level an operating system grants
• No user interaction required: no clicks, no downloads, no phishing step needed

For teams running ASP.NET Core 10 web services exposed to the internet, this patch is not optional. An internet-facing service on versions 10.0.0–10.0.6 is effectively an open door to the server's entire operating system. Patch immediately:

# Check your current .NET runtime version:
dotnet --version

# Update runtime on Ubuntu/Debian:
sudo apt-get update && sudo apt-get install --only-upgrade dotnet-runtime-10.0

# Verify your project's target framework in .csproj:
# <TargetFramework>net10.0</TargetFramework>
# Rebuild and redeploy after updating the SDK

What to Do Right Now

These incidents share a structural pattern: attackers are targeting trusted infrastructure rather than direct targets, because the trust relationship itself is the vulnerability. Here is the immediate action checklist for April 2026's attack wave:

• element-data users (Python/ML developers): If you installed element-data v0.23.3 or ran its Docker image during April 2026, rotate every credential that was accessible in that environment — SSH keys, API tokens, AWS/GCP/Azure access keys. Treat the environment as fully compromised even without visible signs of intrusion.
• Checkmarx and Trivy users: Audit which versions were active during March–April 2026. Flag security scan reports from that period for secondary manual review — the scanner generating them may have been compromised.
• ASP.NET Core 10 teams: Apply the CVE-2026-40372 patch immediately. Services on versions 10.0.0–10.0.6 exposed to the internet are actively exploitable with no credentials required.
• University and enterprise IT administrators: Audit all subdomains for DNS records pointing to external IP addresses you do not recognize. Any forgotten subdomain with an unknown destination is a potential attack vector.

To check if element-data is present in your Python projects, search your dependency files and container images:

# Search for element-data in your project's requirements:
grep -r "element-data" .

# Check if it is installed in the current environment:
pip show element-data

# If found — uninstall and rotate all credentials immediately:
pip uninstall element-data

April 2026 also saw the Grinex cryptocurrency exchange report a $15 million heist — with attackers draining 70 separate wallet addresses in what the exchange attributed to "state-level resources." Independent attribution has not been confirmed. The common thread across all of this month's incidents is not technical sophistication: it is the systematic targeting of the tools, domains, and packages that operate inside the perimeter of trust organizations have already extended. You can stay current on breaking security incidents at the latest AI and developer security news, or review the AI for Automation security and developer guides for pipeline hardening strategies.

Related Content — Get Started | Guides | More News