Skip to content

Secure IT

Stay Secure. Stay Informed.

Primary Menu
  • Home
  • Sources
    • Krebs On Security
    • Security Week
    • The Hacker News
    • Schneier On Security
  • Home
  • The Hacker News
  • PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials
  • The Hacker News

PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials

[email protected] The Hacker News Published: April 30, 2026 | Updated: May 9, 2026 5 min read
1 views

In yet another software supply chain attack, threat actors have managed to compromise the popular Python package Lightning to push two malicious versions to conduct credential theft.

According to Aikido Security, OX Security, Socket, and StepSecurity, the two malicious versions are versions 2.6.2 and 2.6.3, both of which were published on April 30, 2026. The campaign is assessed to be an extension of the Mini Shai-Hulud supply chain incident that targeted SAP-related npm packages on Wednesday.

As of writing, the project has been quarantined by the administrators of the Python Package Index (PyPI) repository. PyTorch Lightning is an open-source Python framework that provides a high-level interface for PyTorch. The open-source project has more than 31,100 stars on GitHub.

“The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload,” Socket said. “The execution chain runs automatically when the lightning module is imported, requiring no additional user action after installation and import.”

The attack chain paves the way for a Python script (“start.py”), which downloads and executes the Bun JavaScript runtime, and then uses it to run an 11MB obfuscated malicious payload (“router_runtime.js”) with an aimto conduct comprehensive credential theft.

From among the harvested credentials, the GitHub tokens are validated against the “api.github[.]com/user” endpoint before being used to inject a worm-like payload to up to 50 branches retrieved from every repository the token can write to.

“The operation is an upsert: it creates files that do not yet exist and silently overwrites files that do,” Socket added. “No pre-check for existing content is performed. Every poisoned commit is authored using a hardcoded identity designed to impersonate Anthropic’s Claude Code.”

Separately, the malware implements an npm-based propagation vector that modifies the developer’s local npm packages with a postinstall hook in the “package.json” file to invoke the malicious payload, increases the patch version number, and repacks the .tgz tarballs. Should the unsuspecting developer publish the tampered packages from their local environment, they are made available on npm, from where the malware ends up on downstream user systems.

The maintainers of the project have acknowledged that “we are aware of the issue and are actively investigating.” It’s currently not clear how the incident occurred, but indications are that the project’s GitHub account has been compromised.

In a separate advisory, Lightning revealed an investigation is still underway to determine the exact root cause of the compromise and that the “affected versions have introduced functionality consistent with a credential harvesting mechanism.”

In the interim, it’s advised to block Lightning versions 2.6.2 and 2.6.3 and remove them from developer systems, if already installed. It’s also essential to downgrade to the last known clean version, 2.6.1, and rotate credentials exposed in affected environments.

The supply chain attack is the latest addition to a long list of compromises carried out by a threat actor known as TeamPCP, which has now launched an onion website on the dark web after its account was suspended from X for violating the platform’s rules.

It also called LAPSUS$, a “good partner of ours and has been involved heavily throughout this entire operation.” The group also made it a point to emphasize that it has “never used VECT encryption tools and we own CipherForce, our own private locker,” following a report from Check Point Research about vulnerabilities discovered in the ransomware’s encryption process.

Intercom npm and Packagist Packages Compromised as Part of Mini Shai-Hulud

In a related development, it has emerged that version 7.0.4 of intercom-client has been compromised as part of the Mini Shai-Hulud campaign, following a similar modus operandi as that of the SAP packages to trigger the execution of a credential-stealing malware using a preinstall hook.

“The overlap is significant because the SAP CAP campaign was linked to TeamPCP activity based on shared technical details, including distinctive payload implementation patterns, GitHub-based exfiltration, credential harvesting across developer and CI/CD environments, and similarities to prior attacks affecting Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy,” Socket said.

It has since been confirmed that the GitHub user “nhur” was hacked and that the malicious [email protected] package was published through a now-deleted branch that triggered an automated CI publish workflow.In tandem, the campaign has also spread to Packagist with the compromise of “intercom/intercom-php” (version 5.0.2), which adapts the same credential-stealing mechanism for the PHP ecosystem.

Specifically, the package uses Composer plugin execution to download Bun by means of a shell script (“setup-intercom.sh”) that’s triggered during install or update events (via the “post-install-cmd” and “post-update-cmd” hooks) and launches an obfuscated “router_runtime.js” credential-stealing payload. 

The malware component, as before, targets GitHub, npm, SSH keys, cloud credentials, Kubernetes, Vault, Docker credentials, .env files, and other developer/CI secrets. The stolen data is then encrypted and exfiltrated to a remote server (“zero.masscan[.]cloud:443/v1/telemetry”). If this primary method fails, it falls back to the GitHub-based exfiltration method using the pilfered GitHub tokens by creating a public repository with the description “A Mini Shai-Hulud has Appeared.”

It also comes fitted with propagation capabilities, abusing the discovered npm tokens to modify and republish packages containing the malware, in addition to writing the payload files to paths like “.claude/settings.json” and “.vscode/tasks.json.”

“The PHP payload mirrors the broader Mini Shai-Hulud tradecraft observed across recent npm and PyPI compromises: install-time execution, Bun-based payload launch, heavily obfuscated JavaScript, credential harvesting from developer and CI/CD environments, and encrypted exfiltration,” Socket said.

Intercom, for its part, has traced the root cause of the compromise to a local install of “pyannote-audio,” which introduced the compromised Lightning PyPI package as a transitive dependency, offering clear evidence that the newer infections are downstream effects from prior TeamPCP waves rather than entirely independent initial access events.

“That makes this especially concerning because one compromised dependency can become a bridge into additional package ecosystems,” Socket told The Hacker News via email.

“After two solid weeks of virtually nonstop attacks, the tempo looks deliberate and sustained rather than opportunistic. The repeated use of install-time execution, Bun-based payload delivery, obfuscated ‘router_runtime.js,’ credential harvesting, GitHub abuse, and package/repository propagation shows a campaign built to turn one compromised developer environment into the next package compromise.”

Lightning PyPI Quarantine Removed

The PyPI quarantine on the Lightning package has been lifted and the malicious versions 2.6.2 and 2.6.3 have been deleted. The latest safe version is 2.6.1.

In a follow-up update, the package maintainers said the malicious versions were live in PyPI for 42 minutes before they were quarantined. There is no evidence that the GitHub source code repository was ever compromised.

“The threat compromised our PyPI publishing channel,” they added. “An attacker with access to our PyPI credentials cloned our open source code, injected a malicious payload, and pushed those tampered builds directly to PyPI as malicious versions 2.6.2 and 2.6.3, bypassing our source control entirely. Any user who pip installed or updated to either of those versions received the attacker’s build, not ours.”

(The story was updated after publication to reflect the latest developments and include additional insights from Socket.)

About The Author

[email protected] The Hacker News

See author's posts

Original post here

What do you feel about this?

  • The Hacker News

Post navigation

Previous: Anti-DDoS Firm Heaped Attacks on Brazilian ISPs
Next: Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft

Author's Other Posts

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now cpanel-3.jpg

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

May 9, 2026 0 1
TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms banking.jpg

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

May 9, 2026 0 0
Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads android-calls.jpg

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

May 9, 2026 0 0
One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches zz-webinar.jpg

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

May 9, 2026 0 1

Related Stories

cpanel-3.jpg
  • The Hacker News

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

[email protected] The Hacker News May 9, 2026 0 1
banking.jpg
  • The Hacker News

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

[email protected] The Hacker News May 9, 2026 0 0
android-calls.jpg
  • The Hacker News

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

[email protected] The Hacker News May 9, 2026 0 0
zz-webinar.jpg
  • The Hacker News

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

[email protected] The Hacker News May 9, 2026 0 1
kube.jpg
  • The Hacker News

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

[email protected] The Hacker News May 9, 2026 0 0
ai-soc.jpg
  • The Hacker News

One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk

[email protected] The Hacker News May 9, 2026 0 1

Trending Now

Who Runs the Ransomware Group ‘The Gentlemen?’ Who Runs the Ransomware Group ‘The Gentlemen?’ 1

Who Runs the Ransomware Group ‘The Gentlemen?’

June 10, 2026 0 0
A Record-Breaking Patch Tuesday for June 2026 2

A Record-Breaking Patch Tuesday for June 2026

June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts 3

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks 4

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

May 25, 2026 0 0

Connect with Us

Social menu is not set. You need to create menu and assign it to Social Menu on Menu Settings.

Trending News

Who Runs the Ransomware Group ‘The Gentlemen?’ Who Runs the Ransomware Group ‘The Gentlemen?’ 1
  • Uncategorized

Who Runs the Ransomware Group ‘The Gentlemen?’

June 10, 2026 0 0
A Record-Breaking Patch Tuesday for June 2026 2
  • Uncategorized

A Record-Breaking Patch Tuesday for June 2026

June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts 3
  • Uncategorized

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks 4
  • Uncategorized

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

May 25, 2026 0 0
Lawmakers Demand Answers as CISA Tries to Contain Data Leak Lawmakers Demand Answers as CISA Tries to Contain Data Leak 5
  • Uncategorized

Lawmakers Demand Answers as CISA Tries to Contain Data Leak

May 22, 2026 0 0
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada 6
  • Uncategorized

Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada

May 21, 2026 0 0
CISA Admin Leaked AWS GovCloud Keys on Github CISA Admin Leaked AWS GovCloud Keys on Github 7
  • Uncategorized

CISA Admin Leaked AWS GovCloud Keys on Github

May 18, 2026 0 0

You may have missed

Who Runs the Ransomware Group ‘The Gentlemen?’
  • Uncategorized

Who Runs the Ransomware Group ‘The Gentlemen?’

Sean June 10, 2026 0 0
  • Uncategorized

A Record-Breaking Patch Tuesday for June 2026

Sean June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
  • Uncategorized

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

Sean June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
  • Uncategorized

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

Sean May 25, 2026 0 0
Copyright © 2026 All rights reserved. | MoreNews by AF themes.