In another software supply chain attack, threat actors have managed to compromise the popular Python package Lightning to push two malicious versions to carry out credential theft.
According to Aikido Security, OX Security, Socket and StepSecurity, the two malicious variants are versions 2.6.2 and 2.6.3, both of which were published on April 30, 2026. The campaign is believed to be an extension of the mini Shai-Hulud supply chain incident that targeted SAP-related NPM packages on Wednesday.
At the time of writing, the project has been decommissioned by the administrators of the Python Package Index (PyPI) repository. PyTorch Lightning is an open-source Python framework that provides a high-level interface to PyTorch. The open-source project has over 31,100 stars on GitHub.
“The malicious package includes a hidden _runtime directory that contains a downloader and an obfuscated JavaScript payload,” Socket said. “The execution chain runs automatically when a Lightning module is imported, with no additional user action required after installation and import.”
The attack chain paves the way for a Python script (“start.py”), which downloads and executes the Bun JavaScript runtime, and then uses it to run an 11 MB obfuscated malicious payload (“router_runtime.js”) for the purpose of widespread credential theft.
Of the credentials collected, the GitHub token is validated against “api.github”[.]com/user” endpoint is used to inject a worm-like payload into up to 50 branches obtained from each repository on which the token can be written.
“The operation is an upsert: it creates files that do not yet exist and silently overwrites files that do exist,” Sockett said. “No pre-checking is done for existing content. Each poisoned commit is written using a hardcoded identity designed to impersonate Anthropic’s cloud code.”
Separately, the malware implements an NPM-based propagation vector that modifies the developer’s local NPM package with a postinstall hook in the “package.json” file to apply the malicious payload, increments the patch version number, and repacks the .tgz tarball. Should a suspected developer publish compromised packages from their local environment, they are made available on NPM, from where the malware ends up on downstream user systems.
The project’s maintainers acknowledged that “we are aware of the issue and are actively investigating.” It is currently unclear how the incident occurred, but indications are that the project’s GitHub account has been compromised.
In a separate advisory, Lightning revealed that an investigation is still ongoing to determine the exact root cause of the compromise and that “the affected versions have introduced functionality consistent with a credential harvesting mechanism.”
In the interim, it is advised to block Lightning versions 2.6.2 and 2.6.3 and remove them from developer systems if already installed. It is also necessary to downgrade to the last known clean version 2.6.1 and rotate the exposed credentials in the affected environment.
The supply chain attack is the latest addition to a long list of compromises carried out by a threat actor named TeamPCP, who has now launched an onion website on the dark web after his account was suspended from X for violating the platform’s rules.
It is also called LAPSUS$, which “is a good partner of ours and has been heavily involved in this entire operation.” Following a report by Check Point Research about vulnerabilities discovered in the ransomware’s encryption process, the group also stressed that it has “never used the VECT encryption tool and we have our own private locker, CipherForce.”
Intercom npm package compromised as part of Mini Shai-Hulud
In a related development, it has emerged that version 7.0.4 of the Intercom-client has been compromised as part of the Mini Shai-Hulud campaign, following the same methodology as the SAP package to trigger the execution of credential-stealing malware using preinstalled hooks.
“The overlap is significant because the SAP CAP campaign was connected to TeamPCP activity based on shared technical details, including specific payload implementation patterns, GitHub-based exfiltration, credential harvesting in developer and CI/CD environments, and similarities to prior attacks affecting Checkmarks, Bitwarden, Telenix, LightLLM, and Aqua Security Trivi,” Sockett said.
