In a recent software supply chain attack, threat actors have compromised the popular Python package Lightning to distribute two malicious versions for credential theft.
The malicious versions, 2.6.2 and 2.6.3, were published on April 30, 2026, and are linked to the Mini Shai-Hulud supply chain incident targeting SAP-related npm packages.
The Python Package Index (PyPI) repository administrators have quarantined the project. PyTorch Lightning is an open-source Python framework with over 31,100 stars on GitHub.
According to reports, the malicious package contains an obfuscated JavaScript payload that executes when the lightning module is imported, leading to credential theft.
The attack involves running a Python script that downloads and executes the malicious payload to harvest credentials, including GitHub tokens for further exploitation.
The maintainers are investigating the incident, and users are advised to block versions 2.6.2 and 2.6.3, downgrade to version 2.6.1, and rotate exposed credentials.
This supply chain attack is attributed to TeamPCP, who have launched an onion website on the dark web following suspension from X.
Intercom npm Package Compromised
Version 7.0.4 of intercom-client has also been compromised in a similar supply chain attack, linked to the Mini Shai-Hulud campaign.
The attack shares similarities with previous TeamPCP activities, including credential harvesting and GitHub-based exfiltration.
