In yet another software supply chain attack, attackers compromised the popular Python package Lightning and pushed two malicious versions to perform credential theft.
According to Aikido Security, OX Security, Socket, and StepSecurity, the two malicious versions are versions 2.6.2 and 2.6.3, both published on April 30, 2026. The campaign is being assessed as an extension of the Mini Shai-Hulud supply chain incident that targeted SAP-related npm packages on Wednesday.
As of this writing, the project is isolated by the Python Package Index (PyPI) repository administrator. PyTorch Lightning is an open source Python framework that provides a high-level interface to PyTorch. This open source project has over 31,100 stars on GitHub.
“The malicious package contains a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload,” Socket said. “The execution chain runs automatically when a Lightning module is imported, with no additional action required by the user after installation and import.”
This attack chain paves the way for a Python script (‘start.py’) to download and execute the Bun JavaScript runtime, which is used to execute an 11 MB obfuscated malicious payload (‘router_runtime.js’) for comprehensive credential theft.
The project’s management confirmed that “we are aware of this issue and are actively investigating it.” It is not clear at this time how the incident occurred, but it has been suggested that the project’s GitHub account may have been compromised.
From the collected credentials, the GitHub token is validated against ‘api.github’.[.]com/user” endpoint to inject a worm-like payload into up to 50 branches pulled from all repositories that the token can write to.
“This operation is an upsert; it creates a file that doesn’t yet exist and silently overwrites the file that does exist,” Socket added. “No pre-checking of existing content is performed. All tainted commits are created using a hard-coded ID designed to impersonate Anthropic’s Claude Code.”
Separately, the malware implements an npm-based propagation vector that modifies the developer’s local npm package using a post-installation hook in the “package.json” file to invoke the malicious payload, increment the patch version number, and repack the .tgz tarball. When unwitting developers publish modified packages from their local environment, they become available on npm and from there malware can reach downstream user systems.
In the meantime, we recommend blocking Lightning versions 2.6.2 and 2.6.3 and removing them from developer systems if they are already installed. It is also important to downgrade to the latest known clean version 2.6.1 and rotate any exposed credentials in the affected environment.
This supply chain attack is the latest addition to a long list of breaches carried out by the threat actor known as TeamPCP. TeamPCP launched the Onion website on the dark web after its account was suspended by X for violating the platform’s rules.
He also praised LAPSUS$ as “a good partner of ours and has been deeply involved throughout this operation.” The group also emphasized that it has “never used the VECT encryption tool and owns its own private locker, CipherForce,” following a Check Point Research report on vulnerabilities discovered in the ransomware encryption process.
Intercom npm packages compromised as part of Mini Shai-Hulud
In a related development, it was revealed that intercom-client version 7.0.4 was compromised as part of the mini Shai-Hulud campaign in a manner similar to SAP packages that used pre-installation hooks to trigger execution of credential-stealing malware.
“This overlap is significant because the SAP CAP campaign was linked to TeamPCP activity based on shared technical details, including unique payload implementation patterns, GitHub-based leaks, credential harvesting across developer and CI/CD environments, and similarities to previous attacks impacting Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy,” Socket said.
Source link
