In a fresh software supply chain attack, hackers have taken control of the widely-used Python package Lightning to distribute two harmful versions designed to steal user credentials.
Security firms Aikido Security, OX Security, Socket, and StepSecurity report that the two tainted versions — 2.6.2 and 2.6.3 — were both released on April 30, 2026. Experts believe this campaign is a continuation of the Mini Shai-Hulud supply chain incident, which targeted SAP-related npm packages just the day before.
At the time of writing, administrators of the Python Package Index (PyPI) have placed the project under quarantine. PyTorch Lightning is an open-source Python library that offers a streamlined, high-level interface for PyTorch. The project boasts over 31,100 stars on GitHub.
“The malicious package contains a concealed _runtime directory housing a downloader and a heavily obfuscated JavaScript payload,” Socket explained. “The entire execution chain activates automatically the moment the lightning module is imported, meaning no further user interaction is needed after installation and importing.”
The attack orchestrates the launch of a Python script called “start.py,” which fetches and runs the Bun JavaScript runtime. Bun is then used to execute a large 11MB obfuscated malicious file named “router_runtime.js” — all aimed at carrying out sweeping credential theft.
Among the stolen credentials, the attackers validate harvested GitHub tokens by checking them against the “api.github[.]com/user” endpoint. Once confirmed working, each token is used to inject self-spreading, worm-like code into up to 50 branches across every repository the token has write access to.
“The operation works as an upsert — it creates new files where none exist and silently overwrites those that already do,” Socket continued. “There’s no check for existing content beforehand. Every tampered commit is authored under a fixed identity crafted to impersonate Anthropic’s Claude Code.”
In a separate propagation technique, the malware employs an npm-based vector that alters the developer’s local npm packages by injecting a postinstall hook into the “package.json” file. This hook triggers the malicious payload, bumps the patch version number, and re-packages the .tgz tarballs. If an unaware developer then publishes these altered packages from their machine, the malware lands on npm and eventually reaches downstream users.
The project’s maintainers have confirmed that “we are aware of the issue and are actively investigating.” While the exact cause remains unclear, evidence strongly suggests that the project’s GitHub account was breached.
In a separate advisory, Lightning shared that an ongoing investigation is working to pinpoint the precise root cause of the compromise, and confirmed that the “affected versions contain functionality consistent with a credential harvesting mechanism.”
In the meantime, users are urged to block Lightning versions 2.6.2 and 2.6.3 and remove them from any developer environments where they may already have been installed. It is also critical to roll back to the last known safe version, 2.6.1, and rotate any credentials that may have been exposed on affected systems.
This supply chain attack adds yet another entry to the growing list of compromises attributed to a threat actor called TeamPCP, who has now set up an onion website on the dark web after their X account was suspended for violating platform rules.
TeamPCP also referenced LAPSUS$, calling them “a good partner of ours who has been heavily involved throughout this entire operation.” The group was also keen to clarify that it has “never used VECT encryption tools and we own CipherForce, our own private locker,” responding to a Check Point Research report that identified vulnerabilities in the group’s ransomware encryption process.
Intercom npm and Packagist Packages Hit as Part of Mini Shai-Hulud
In a related development, version 7.0.4 of the intercom-client package has been found compromised as part of the Mini Shai-Hulud campaign, following the same approach used against the SAP packages — leveraging a preinstall hook to trigger the execution of credential-stealing malware.
“The overlap is notable because the SAP CAP campaign had already been tied to TeamPCP based on shared technical indicators, including distinctive payload implementation patterns, GitHub-based exfiltration, credential harvesting from both developer and CI/CD environments, and similarities to previous attacks on Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy,” Socket stated.
It has since been confirmed that the GitHub account belonging to the user “nhur” was compromised, and the malicious intercom-client@7.0.4 package was published through a now-deleted branch that activated an automated CI publish workflow. In parallel, the campaign has also expanded to Packagist, with the compromise of “intercom/intercom-php” (version 5.0.2), which adapts the same credential-stealing method for the PHP ecosystem.
Specifically, the package leverages Composer plugin execution to download Bun via a shell script named “setup-intercom.sh,” which is triggered during install or update events through the “post-install-cmd” and “post-update-cmd” hooks. This script then launches the obfuscated “router_runtime.js” credential-stealing payload.
The malware targets the same broad range of sensitive data as in the PyPI campaign — including GitHub, npm, and SSH keys; cloud credentials, Kubernetes configs, Vault secrets, Docker credentials, .env files, and other developer/CI secrets. The stolen data is encrypted and sent to a remote server at “zero.masscan[.]cloud:443/v1/telemetry.” If this primary channel fails, the malware falls back on the GitHub-based exfiltration method, using stolen tokens to create a public repository with the description “A Mini Shai-Hulud has Appeared.”
The malware also includes self-propagation capabilities, abusing discovered npm tokens to modify and re-publish packages laced with the malware. It additionally drops payload files into paths such as “.claude/settings.json” and “.vscode/tasks.json.”
“The PHP payload mirrors the broader Mini Shai-Hulud tradecraft seen across the recent npm and PyPI compromises: install-time execution, Bun-based payload delivery, heavily obfuscated JavaScript, credential harvesting from developer and CI/CD environments, and encrypted exfiltration,” Socket noted.
Intercom, for its part, has traced the root cause of its compromise to a local installation of “pyannote-audio,” which pulled in the tainted Lightning PyPI package as a transitive dependency. This provides strong evidence that these newer infections are downstream effects of prior TeamPCP attack waves rather than separate, independent breaches.
“That’s what makes this especially alarming — one compromised dependency can serve as a bridge into entirely different package ecosystems,” Socket told The Hacker News in an email.
“After two straight weeks of near-continuous attacks, this looks deliberate and sustained rather than opportunistic. The repeated use of install-time execution, Bun-based payload delivery, the obfuscated ‘router_runtime.js’ file, credential harvesting, GitHub abuse, and package/repository propagation all point to a campaign engineered to turn one compromised developer environment into the next compromised package.”
Lightning PyPI Quarantine Lifted
The PyPI quarantine on the Lightning package has since been removed, and the malicious versions 2.6.2 and 2.6.3 have been deleted. The most recent safe version remains 2.6.1.
In a follow-up statement, the package maintainers disclosed that the malicious versions were available on PyPI for 42 minutes before being quarantined. There is no evidence that the GitHub source code repository was ever tampered with.
“The threat actor compromised our PyPI publishing channel,” the maintainers said. “An attacker with access to our PyPI credentials cloned our open-source code, injected a malicious payload, and pushed those tampered builds directly to PyPI as versions 2.6.2 and 2.6.3 — entirely bypassing our source control. Anyone who ran pip install or upgraded to either of those versions received the attacker’s build, not ours.”
(This article was updated after initial publication to incorporate the latest developments and additional insights from Socket.)
