Malicious Python Package Steals Credentials

In a significant supply chain attack on April 30, 2026, threat actors compromised the popular Python Package Index (PyPI) package Lightning to push two malicious versions designed for credential theft, according to reports from Aikido Security and Socket. The campaign appears to be an extension of the Mini Shai-Hulud incident that recently targeted SAP-related npm packages.

The malicious versions, 2.6.2 and 2.6.3, automatically run a hidden script when the Lightning module is imported. Consequently, this triggers a chain that downloads an obfuscated JavaScript payload to harvest credentials comprehensively from the infected system.

Socket noted the malware validates stolen GitHub tokens and then uses them to inject a payload into repositories. “The operation is an upsert: it creates files that do not yet exist and silently overwrites files that do,” the security firm added, stating commits impersonate Anthropic’s Claude Code.

Separately, the malware modifies local npm packages to propagate via a postinstall hook. If a developer publishes a tampered package, the malware spreads further through the npm registry and onto downstream systems.

Project maintainers have acknowledged the issue and are investigating, with initial signs pointing to a compromised GitHub account. In a separate advisory, Lightning confirmed the affected versions contain credential harvesting functionality.

Meanwhile, the intercom-client npm package version 7.0.4 was also compromised as part of the same campaign. Socket said the technical overlap links this activity to the threat group TeamPCP.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Senate Bans Members From Trading on Prediction Markets
• North Korea Stole 76% of 2026 Crypto Hack Value
• Stellar invests in German crypto registrar Cashlink
• Used Tesla Model X Demand Jumps Amid End of Production
• Accenture Joins Hedera Council to Build Trusted AI Infrastructure