"The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload," Socket said.
How the malicious Lightning releases executed on import
Two malicious releases of the popular Python package Lightning — versions 2.6.2 and 2.6.3 — were published on April 30, 2026 and are assessed to have been planted to steal credentials. According to researchers at Aikido Security, OX Security, Socket, and StepSecurity, the packages were crafted so that "the execution chain runs automatically when the lightning module is imported, requiring no additional user action after installation and import."
The payload includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload. That chain uses a Python script named "start.py" to download and execute the Bun JavaScript runtime and then to run an 11MB obfuscated file, "router_runtime.js," with the stated aim to conduct comprehensive credential theft. The open-source PyTorch Lightning project, which the package implements, has more than 31,100 stars on GitHub; the compromised project has been quarantined by PyPI administrators as of reporting.
GitHub tokens validated and worm-like branch injection
The harvested credentials include GitHub tokens that are validated against the "api.github[.]com/user" endpoint before being used. Once validated, the malware attempts a worm-like injection: it targets up to 50 branches retrieved from every repository the token can write to, creating or overwriting files without checking existing content. Socket described the operation as an upsert — "it creates files that do not yet exist and silently overwrites files that do."
Every poisoned commit is authored using a hardcoded identity designed to impersonate Anthropic's Claude Code, Socket added. The project maintainers acknowledged "we are aware of the issue and are actively investigating," and researchers say it is currently not clear how the incident occurred, though indications point to a compromise of the project's GitHub account.
NPM propagation vector and links to Mini Shai-Hulud
Beyond the PyPI angle, the malware implements an npm-based propagation vector that modifies a developer's local npm packages by inserting a postinstall hook into the "package.json" file. The malicious flow increases the patch version number and repacks affected .tgz tarballs; if an unaware developer publishes the tampered packages from their environment, those packages become available on npm and deliver the malware downstream.
Security firms assessing the campaign tie these tactics to the Mini Shai-Hulud incident. Socket reported that the campaign targeting Lightning is assessed to be an extension of the Mini Shai-Hulud supply chain incident that earlier targeted SAP-related npm packages. The overlap is described as significant: Socket noted shared technical details including distinctive payload implementation patterns, GitHub-based exfiltration, credential harvesting across developer and CI/CD environments, and similarities to prior attacks affecting Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy.
Separately, version 7.0.4 of the intercom-client npm package was also compromised as part of the Mini Shai-Hulud campaign, using a similar preinstall-hook method to trigger credential-stealing malware.
Attribution and actor behavior: TeamPCP and allied claims
Researchers describe the Lightning compromise as the latest addition to a series of supply chain compromises carried out by a threat actor known as TeamPCP. The actor has launched an onion website on the dark web after its account was suspended from X for violating the platform's rules. TeamPCP has publicly described LAPSUS$ as a "good partner of ours and has been involved heavily throughout this entire operation," and claimed it "has never used VECT encryption tools and we own CipherForce, our own private locker," remarks it made following a Check Point Research report on vulnerabilities in a ransomware encryption process.
What this means for maintainers, developers, and CI/CD teams
- Maintainers: Investigate possible account compromise — Socket and other firms indicate the project's GitHub account was likely used in the incident, and maintainers should review access logs and recent account activity.
- Developers: Block and remove Lightning versions 2.6.2 and 2.6.3 from developer systems, and downgrade to the last known clean version, 2.6.1. Rotate credentials that may have been exposed in affected environments.
- CI/CD teams: Audit pipelines and package publishing workflows for tampered npm tarballs and unexpected postinstall hooks; be alert to unauthorized commits that may have been created with the impersonating identity described by Socket.
The technical trail in the available reporting is concrete: poisoned PyPI releases that execute on import, a downloader that invokes the Bun runtime, an 11MB obfuscated JavaScript payload designed to harvest credentials and abuse GitHub tokens to propagate, and an npm-side mechanism to contaminate developer workflows and downstream publishing. The recorded mitigation steps are equally clear — block the two malicious Lightning releases, revert to 2.6.1, remove any installed copies, and rotate exposed credentials — but the report leaves one critical operational detail unresolved in the public record: how the project’s GitHub account was compromised.
Read the original reporting: https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html
