Overview
In yet another wave of software supply chain attacks, threat actors have compromised the popular Python package Lightning (PyTorch Lightning) to push two malicious versions designed to conduct credential theft. The campaign has been identified as an extension of the ongoing Mini Shai-Hulud supply chain incident, which has now spread beyond npm to PyPI and Packagist. Additionally, the intercom-client npm package and intercom-php Packagist package have been compromised as part of the same coordinated operation.
PyTorch Lightning Compromise
According to Aikido Security, OX Security, Socket, and StepSecurity, the two malicious versions (2.6.2 and 2.6.3) were published on April 30, 2026. As of writing, the project has been quarantined by PyPI administrators. PyTorch Lightning is an open-source Python framework providing a high-level interface for PyTorch, with more than 31,100 stars on GitHub.
“The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload,” Socket said. “The execution chain runs automatically when the lightning module is imported, requiring no additional user action after installation and import.”
The attack chain executes a Python script (start.py), which downloads and runs the Bun JavaScript runtime, then uses it to execute an 11MB obfuscated payload (router_runtime.js) designed for comprehensive credential theft. Harvested GitHub tokens are validated against GitHub’s API before being used to inject a worm-like payload into up to 50 branches per repository the token can write to. Socket described the operation as “an upsert: it creates files that do not yet exist and silently overwrites files that do.” Every poisoned commit is authored using a hardcoded identity designed to impersonate Anthropic’s Claude Code.
Separately, the malware implements an npm-based propagation vector that modifies local npm packages with a malicious postinstall hook in package.json, increases the patch version number, and repacks the .tgz tarballs. If the developer publishes the tampered packages, the malware spreads to downstream users on npm.
Intercom Package Compromise
Version 7.0.4 of intercom-client was compromised as part of the Mini Shai-Hulud campaign, following a similar modus operandi to the SAP packages to trigger credential-stealing malware using a preinstall hook. It has since been confirmed that the GitHub user “nhur” was hacked and that the malicious package was published through a now-deleted branch triggering an automated CI publish workflow.
The campaign has also spread to Packagist with the compromise of “intercom/intercom-php” (version 5.0.2), adapting the same credential-stealing mechanism for the PHP ecosystem. The PHP package uses Composer plugin execution to download Bun via a shell script triggered during install or update events, launching the same obfuscated router_runtime.js payload.
Malware Capabilities
The malware component targets GitHub tokens, npm tokens, SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes configurations, Vault secrets, Docker credentials, .env files, and other developer and CI/CD secrets. Stolen data is encrypted and exfiltrated to a remote server at zero.masscan[.]cloud:443/v1/telemetry. If this primary method fails, it falls back to GitHub-based exfiltration using pilfered tokens by creating a public repository with the description “A Mini Shai-Hulud has Appeared.”
Threat Actor Attribution
The campaign is attributed to a threat actor known as TeamPCP, which has launched an onion website on the dark web after its account was suspended from X for violating platform rules. The group also called out LAPSUS$ as “a good partner of ours.” Intercom traced the root cause of the compromise to a local install of pyannote-audio, which introduced the compromised Lightning PyPI package as a transitive dependency, confirming that newer infections are downstream effects from prior TeamPCP waves.
Remediation
The PyPI quarantine on the Lightning package has been lifted and the malicious versions 2.6.2 and 2.6.3 have been deleted. Users are advised to downgrade to version 2.6.1 and rotate any credentials exposed in affected environments. The Lightning team confirmed they are investigating, with indications that the project’s GitHub account was compromised.
