Apr 27, 2026mediumzero-day

PyPI package with 1.1M monthly downloads hacked to push infostealer

An attacker pushed a malicious version of the popular elementary-data package Python Package Index (PyPI) to steal sensitive developer data and cryptocurrency wallets. The dangerous release is 0.23.

what's affectedPyPI package with 1.1M monthly downloads hacked to push infostealer

mitigation statusMonitoring updates

first reportedApr 27, 2026

social pulse

mentions (24h)446

velocitytrend up

mentions delta+0% vs yesterday

platform splitX 46% · Reddit 31% · GitHub 23%

keywords

zero-dayvulnerabilitymitigation

x analyticsheat 0

authors 0verified 0%

likes0

retweets0

replies0

quotes0

summaryConversation is accelerating with active-response chatter and exploit validation.

sources

https://www.bleepingcomputer.com/news/security/pypi-package-with-11m-monthly-downloads-hacked-to-push-infostealer/

Curated Apr 27, 2026 by the ahackaday team./Sources verified./Brief grounded in 1 source.

Grace Your AI security internreadyGrace is ready

Grounded in this brief only — PyPI package with 1.1M monthly downloads hacked to push infostealer. Press ⌘K any time.

You're answering aschange anytime

Pick a playor type your own ↓

Tone

Pick a play above, or type your question

Generate an answer and Grace will return a grounded response for this incident.

scanning advisory feeds…