BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Malicious Python Package Steals Credentials

Malicious PyPI Lightning npm intercom-client packages steal credentials inject worm payloads

  • Threat actors published two malicious versions of the popular Python package Lightning (2.6.2 and 2.6.3) on April 30, 2026, as part of a supply chain attack.
  • The malware automatically executes on import to steal credentials and uses stolen GitHub tokens to inject a worm-like payload into up to 50 branches of accessible repositories.
  • The PyPI repository has quarantined the project, and users are advised to block the malicious versions, downgrade to version 2.6.1, and rotate all exposed credentials.
  • The campaign is an extension of the Mini Shai-Hulud supply chain incident and has also compromised the npm package intercom-client.

In a significant supply chain attack on April 30, 2026, threat actors compromised the popular Python Package Index (PyPI) package Lightning to push two malicious versions designed for credential theft, according to reports from Aikido Security and Socket. The campaign appears to be an extension of the Mini Shai-Hulud incident that recently targeted SAP-related npm packages.

- Advertisement -

The malicious versions, 2.6.2 and 2.6.3, automatically run a hidden script when the Lightning module is imported. Consequently, this triggers a chain that downloads an obfuscated JavaScript payload to harvest credentials comprehensively from the infected system.

Socket noted the malware validates stolen GitHub tokens and then uses them to inject a payload into repositories. “The operation is an upsert: it creates files that do not yet exist and silently overwrites files that do,” the security firm added, stating commits impersonate Anthropic’s Claude Code.

Separately, the malware modifies local npm packages to propagate via a postinstall hook. If a developer publishes a tampered package, the malware spreads further through the npm registry and onto downstream systems.

Project maintainers have acknowledged the issue and are investigating, with initial signs pointing to a compromised GitHub account. In a separate advisory, Lightning confirmed the affected versions contain credential harvesting functionality.

- Advertisement -

Meanwhile, the intercom-client npm package version 7.0.4 was also compromised as part of the same campaign. Socket said the technical overlap links this activity to the threat group TeamPCP.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Web3 Warsaw 2026 — Eastern Europe’s Largest Blockchain Conference Returns This September

Web3 Warsaw 2026, the largest blockchain and technology conference in Eastern Europe, will take...

Azure CLI Hit By Massive Password Spray Attack

A massive, automated password spray attack originating from LSHIY LLC made over 81 million...

Michael Burry Shorts Tesla at $416 Ahead of Q2 Report

Famed investor Michael Burry disclosed a short position in Tesla at $416.22 ahead of...

Michael Saylor’s credit pivot as BTC-focused firm tanks

Michael Saylor's public messaging pivoted from disparaging credit to praising it in June 2025.His...

RustDuck malware builds DDoS botnet, evolves in Rust

A new botnet called RustDuck is hijacking home routers and servers to launch DDoS...

Must Read

7 Best NFT Marketplaces for Every Need

Open Sea | Pianity | Foundation | Magic Eden | SuperRare | Rarible | Theta Drop | Other Platforms | About NFTs | FAQ...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading