Full Report
In the PyPI package lightning, malicious code is triggered automatically upon import. The code downloads and installs the Bun runtime and executes a large (~11 MB) obfuscated JavaScript payload. This behavior enables credential harvesting from developer environments and CI/CD ...
Analysis Summary
# Incident Report: PyPI and NPM Supply Chain Compromise (Lightning/Intercom)
## Executive Summary
A coordinated supply chain attack targeted popular software packages across the PyPI, NPM, and Packagist ecosystems. By injecting malicious code into the `lightning`, `intercom-client`, and `intercom-php` packages, attackers automated the theft of credentials from developer environments and CI/CD pipelines. The attack leveraged a massive 11 MB obfuscated JavaScript payload executed via the Bun runtime to harvest sensitive data.
## Incident Details
- **Discovery Date:** April 30, 2026 (Published)
- **Incident Date:** Circa April 2026
- **Affected Organization:** Users of Lightning AI (PyTorch Lightning), Intercom Client, and Intercom PHP
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026
- **Vector:** Supply Chain Compromise / Package Hijacking
- **Details:** Malicious versions of legitimate packages were uploaded to public repositories (PyPI, NPM, and Packagist). Specifically, `lightning` (PyPI), `intercom-client` v7.0.4 (NPM), and `intercom/intercom-php` v5.0.2 (Packagist) were identified as compromised.
### Lateral Movement
- **Details:** The malware targets CI/CD environments and developer workstations. By obtaining cloud provider credentials and environment variables, attackers could potentially move from a local build environment into production cloud infrastructure.
### Data Exfiltration/Impact
- **Details:** The primary impact was the silent harvesting of credentials. The 11 MB obfuscated payload was designed to scan for and exfiltrate sensitive secrets, API keys, and environment variables.
### Detection & Response
- **Detection:** Security researchers and automated monitoring tools identified unusual outbound connections and the unexpected installation of the Bun runtime during package setup/import.
- **Response:** Compromised package versions were reported to repository maintainers for removal. Incident reports were published by affected organizations (e.g., Lightning AI) to alert the community.
## Attack Methodology
- **Initial Access:** Package Hijacking; attackers gained unauthorized access to publish new versions of trusted libraries.
- **Persistence:** Malicious code is triggered automatically upon `import` (Python) or during the `preinstall` phase (NPM), ensuring execution every time the software is used or deployed.
- **Defense Evasion:** Use of a large (11 MB) highly obfuscated JavaScript payload to hinder static analysis and manual code review.
- **Credential Access:** Automated harvesting of credentials from developer environments and environment variables.
- **Discovery:** Scanning local file systems within CI/CD and dev environments for configuration files and secrets.
- **Execution:** Unauthorized execution via the **Bun** runtime, which is downloaded and installed silently by the malicious scripts.
- **Impact:** Data exfiltration and potential secondary compromise of linked cloud services.
## Impact Assessment
- **Financial:** Unknown; potential for significant loss if cloud credentials were used for resource hijacking or data theft.
- **Data Breach:** High risk; theft of developer secrets and CI/CD environment variables.
- **Operational:** Disruption to development workflows as teams have to audit pipelines and rotate all compromised secrets.
- **Reputational:** Damage to the perceived security of the identified open-source packages and the broader supply chain ecosystem.
## Indicators of Compromise
- **File Indicators:**
- `setup.mjs` (NPM version)
- `router_runtime.js` (NPM version)
- Unexpected `bun` binary in temporary directories or project folders.
- **Behavioral Indicators:**
- Python `import lightning` triggering outbound requests to download external binaries.
- Installation of the Bun runtime without user consent.
- Large obfuscated JavaScript files (~11 MB) appearing in package directories.
## Response Actions
- **Containment:** Removal of malicious versions (`intercom-client` v7.0.4, `intercom/intercom-php` v5.0.2, and affected `lightning` versions) from public repositories.
- **Eradication:** Instructions provided to users to delete local package caches and audit environment variables.
- **Recovery:** Organizations advised to rotate all secrets (AWS keys, GitHub tokens, etc.) that were present in environments where the compromised packages were installed.
## Lessons Learned
- **Implicit Trust:** The attack demonstrates that "Zero Trust" must apply to internal dependencies; code should be verified before it is allowed to run in CI/CD.
- **Installation Hooks:** NPM `preinstall` and Python `import` triggers remain high-risk vectors for stealthy malware execution.
- **Binary Inclusion:** Attackers are increasingly bringing their own runtimes (like Bun) to bypass language-specific security constraints.
## Recommendations
- **Pin Dependencies:** Use lockfiles (e.g., `package-lock.json`, `poetry.lock`) and hash verification to ensure only known-good code is pulled.
- **Environment Isolation:** Run CI/CD builds in ephemeral, isolated environments with restricted network access to prevent outbound exfiltration.
- **Secret Management:** Use short-lived credentials and OIDC for CI/CD instead of long-lived environment variables.
- **Monitoring:** Implement monitoring for unexpected process execution (e.g., a Python process spawning a Gallagher/Bun shell) and unauthorized outbound network traffic from build servers.