PyPI package lightning versions 2.6.2 and 2.6.3 were backdoored with credential-stealing malware that executes on import and worms across npm.
Key Takeaways
Malicious _runtime/ directory runs obfuscated 14.8 MB JavaScript payload via Bun on import; steals env vars, cloud secrets (AWS/Azure/GCP), and GitHub tokens across four exfil channels.
Worm propagates to npm: if npm publish credentials are found, the malware injects a preinstall dropper into every package that token can publish and bumps the patch version.
Persistence hooks target Claude Code (.claude/settings.json SessionStart) and VS Code (.vscode/tasks.json folderOpen); both re-execute the payload on project open with no user action.
GitHub Actions persistence: if a write token is available, malware pushes a Formatter workflow that dumps all secrets via ${{ toJSON(secrets) }} as a downloadable artifact.
Any environment that imported lightning during the affected window should be treated as fully compromised; rotate all GitHub tokens, cloud credentials, and API keys immediately.
Hacker News Comment Review
Commenters flagged a growing ML-specific risk: deep learning projects carry massive dependency trees with little of the security hygiene web development has accumulated over years.
Concern surfaced that AI coding agents like Claude Code now mediate package installation decisions, with models trained before compromise events having no signal on current package safety.
The Claude Code hook abuse was noted as a novel persistence vector; one commenter flagged that Claude Code’s frequent auto-updates create a large, high-trust attack surface themselves.
Notable Comments
@mkeeter: GitHub repo search confirmed 2,200+ attacker exfil repos with description “A Mini Shai-Hulud has Appeared” created within 24 hours – directly searchable as an IOC.
@nrengan: “Most of my pip installs come from Claude Code suggesting them now and me just hitting enter” – AI agents as package gatekeepers with stale training data is a structural blind spot.
