In yet another software supply chain attack, threat actors have managed to compromise the popular Python package Lightning to push two malicious versions to conduct credential theft.
According to Aikido Security, OX Security, Socket, and StepSecurity, the two malicious versions are versions 2.6.2 and 2.6.3, both of which were published on April 30, 2026. The campaign is assessed to be an extension of the Mini Shai-Hulud supply chain incident that targeted SAP-related npm packages on Wednesday.
As of writing, the project has been quarantined by the administrators of the Python Package Index (PyPI) repository. PyTorch Lightning is an open-source Python framework that provides a high-level interface for PyTorch. The open-source project has more than 31,100 stars on GitHub.
“The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload,” Socket said. “The execution chain runs automatically when the lightning module is imported, requiring no additional user action after installation and import.”
The attack chain paves the way for a Python script (“start.py”), which downloads and executes the Bun JavaScript runtime, and then uses it to run an 11MB obfuscated malicious payload (“router_runtime.js”) with an aimto conduct comprehensive credential theft.
The maintainers of the project have acknowledged that “we are aware of the issue and are actively investigating.” It’s currently not clear how the incident occurred, but indications are that the project’s GitHub account has been compromised.
From among the harvested credentials, the GitHub tokens are validated against the “api.github[.]com/user” endpoint before being used to inject a worm-like payload to up to 50 branches retrieved from every repository the token can write to.
“The operation is an upsert: it creates files that do not yet exist and silently overwrites files that do,” Socket added. “No pre-check for existing content is performed. Every poisoned commit is authored using a hardcoded identity designed to impersonate Anthropic’s Claude Code.”
Separately, the malware implements an npm-based propagation vector that modifies the developer’s local npm packages with a postinstall hook in the “package.json” file to invoke the malicious payload, increases the patch version number, and repacks the .tgz tarballs. Should the unsuspecting developer publish the tampered packages from their local environment, they are made available on npm, from where the malware ends up on downstream user systems.
In a separate advisory, Lightning revealed an investigation is still underway to determine the exact root cause of the compromise and that the “affected versions have introduced functionality consistent with a credential harvesting mechanism.”
In the interim, it’s advised to block Lightning versions 2.6.2 and 2.6.3 and remove them from developer systems, if already installed. It’s also essential to downgrade to the last known clean version, 2.6.1, and rotate credentials exposed in affected environments.
The supply chain attack is the latest addition to a long list of compromises carried out by a threat actor known as TeamPCP, which has now launched an onion website on the dark web after its account was suspended from X for violating the platform’s rules.
It also called LAPSUS$, a “good partner of ours and has been involved heavily throughout this entire operation.” The group also made it a point to emphasize that it has “never used VECT encryption tools and we own CipherForce, our own private locker,” following a report from Check Point Research about vulnerabilities discovered in the ransomware’s encryption process.
Intercom npm Package Compromised as Part of Mini Shai-Hulud
In a related development, it has emerged that version 7.0.4 of intercom-client has been compromised as part of the Mini Shai-Hulud campaign, following a similar modus operandi as that of the SAP packages to trigger the execution of a credential-stealing malware using a preinstall hook.
“The overlap is significant because the SAP CAP campaign was linked to TeamPCP activity based on shared technical details, including distinctive payload implementation patterns, GitHub-based exfiltration, credential harvesting across developer and CI/CD environments, and similarities to prior attacks affecting Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy,” Socket said.
