Full Report
In yet another software supply chain attack, threat actors have managed to compromise the popular Python package Lightning to push two malicious versions to conduct credential theft. According to Aikido Security, Socket, and StepSecurity, the two malicious versions are versions 2.6.2 and 2.6.3, both of which were published on April 30, 2026. The campaign is assessed to be an extension of the
Analysis Summary
# Incident Report: PyTorch Lightning Supply Chain Compromise
## Executive Summary
The popular Python library PyTorch Lightning was compromised via a software supply chain attack, resulting in the publication of two malicious versions (2.6.2 and 2.6.3) to the PyPI repository. The malware executes automatically upon import to steal developer credentials and propagate to other repositories and npm packages. The attack is attributed to the threat group "TeamPCP" and is linked to the broader "Mini Shai-Hulud" campaign.
## Incident Details
- **Discovery Date:** April 30, 2026
- **Incident Date:** April 30, 2026
- **Affected Organization:** Lightning AI (PyTorch Lightning)
- **Sector:** Technology / Artificial Intelligence / Open Source Software
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 30, 2026
- **Vector:** Likely GitHub Account Compromise
- **Details:** Threat actors gained access to the project's publishing credentials or GitHub account to push malicious versions 2.6.2 and 2.6.3 directly to PyPI.
### Lateral Movement
- **Automated Worm Propagation:** The malware validates stolen GitHub tokens and attempts to inject malicious code into up to 50 branches of every repository the victim has write-access to.
- **Cross-Platform Infection:** The malware modifies local `package.json` files in npm projects to include a `postinstall` hook, aiming to compromise the developer's npm packages.
### Data Exfiltration/Impact
- **Data Stolen:** Comprehensive credential theft, specifically targeting GitHub tokens and local developer environment secrets.
- **Integrity Impact:** Malicious commits were made to victim repositories using a hardcoded identity impersonating "Anthropic’s Claude Code."
### Detection & Response
- **Discovery:** Identified by security firms Aikido Security, Socket, and StepSecurity.
- **Response:** PyPI administrators quarantined the project; maintainers acknowledged the issue and began an investigation; malicious versions were flagged for removal.
## Attack Methodology
- **Initial Access:** Compromise of maintainer accounts/credentials.
- **Persistence:** Injection of `postinstall` hooks in npm `package.json` and malicious code imports in Python.
- **Defense Evasion:** Use of an 11MB obfuscated JavaScript payload (`router_runtime.js`) and impersonation of legitimate AI tools (Claude Code) for commits.
- **Credential Access:** Automated harvesting of environment tokens; validation via `api.github[.]com/user`.
- **Discovery:** Scripted retrieval of up to 50 branches per repository for expansion.
- **Lateral Movement:** Worm-like propagation via GitHub API and poisoning of local npm packages for downstream infection.
- **Exfiltration:** Execution of JavaScript-based downloader and credential exfiltrator using the Bun runtime.
- **Impact:** Supply chain contamination and unauthorized code injection (Upsert) into third-party repositories.
## Impact Assessment
- **Financial:** Undetermined; potential high cost for remediation across affected downstream organizations.
- **Data Breach:** High-risk theft of Github tokens and developer credentials.
- **Operational:** Significant disruption to AI/ML development pipelines globally; quarantine of a critical library.
- **Reputational:** High-profile compromise of a project with 31,100+ GitHub stars.
## Indicators of Compromise
- **Network:** `api.github[.]com/user` (used for token validation).
- **Files/Versions:**
- `lightning` versions 2.6.2 and 2.6.3.
- `start.py` (Downloader script).
- `router_runtime.js` (11MB Obfuscated payload).
- `_runtime/` directory within the Python package.
- **Behavioral:** Unauthorized commits authored by "Anthropic's Claude Code"; unexpected `postinstall` hooks appearing in `package.json`.
## Response Actions
- **Containment:** PyPI administrators quarantined the "Lightning" package to prevent further downloads.
- **Eradication:** Advisory issued to delete versions 2.6.2 and 2.6.3 from all local environments and CI/CD pipelines.
- **Recovery:** Downgrade to version 2.6.1; mandatory rotation of all credentials (SSH keys, GitHub tokens, npm secrets) handled by affected systems.
## Lessons Learned
- **Credential Security:** Critical maintainer accounts require robust MFA and hardware security keys to prevent account takeovers.
- **Dependency Pinning:** Organizations should pin dependencies to specific versions and use lockfiles to prevent automatic updates to malicious releases.
- **Payload Size:** Large, obfuscated files (11MB JS) within a Python package are a significant red flag for supply chain scanners.
## Recommendations
- **Rotate Credentials:** Immediately rotate any GitHub tokens or npm registry secrets that were present on machines where Lightning 2.6.2/2.6.3 was installed.
- **Audit Repositories:** Check GitHub audit logs for unexpected commits or branch creations, particularly those attributed to Claude Code.
- **Implement SCPs:** Use Software Composition Analysis (SCA) tools that detect suspicious "postinstall" scripts or unusual file structures in library updates.