PyPI package with 1.1M monthly downloads hacked to push infostealer

The popular PyPI package elementary-data, with over 1.1 million monthly downloads, was compromised by an attacker who pushed a malicious version (0.23.3) to steal sensitive developer data and cryptocurrency wallets. The attacker exploited a GitHub Actions script injection flaw to forge a legitimate release, which included a secrets stealer targeting SSH keys, cloud credentials, and crypto wallet files.