Malicious PyTorch Lightning Package Steals Credentials and Worms npm Packages
The PyPI package lightning — a deep learning framework used for image classification, LLM fine-tuning, diffusion models, and time-series forecasting — was compromised in a supply chain attack affecting versions 2.6.2 and 2.6.3, published on April 30, 2026. Simply running pip install lightning triggers the malicious code on import.
What the Malware Does
The malicious versions contain a hidden _runtime directory with obfuscated JavaScript payload that executes automatically upon module import. It steals:
- Credentials and authentication tokens
- Environment variables
- Cloud secrets
It also attempts to poison GitHub repositories by creating public repos named EveryBoiWeBuildIsaWormBoi. The attack uses Dune-themed naming conventions, consistent with the previous Mini Shai-Hulud campaign.
Cross-Ecosystem Spread: PyPI to npm
While the entry point is PyPI, the malware payload is JavaScript. Once running, if it finds npm publish credentials, it injects a setup.mjs dropper and router_runtime.js into every package that token can publish to. It sets scripts.preinstall to execute the dropper, bumps the patch version, and republishes. Any downstream developer who installs those packages runs the full malware, leading to token theft and further worm propagation.
Indicators of Compromise
Audit your projects for:
- Unexpected
.claude/or.vscode/directories with strange contents - New public repositories named
EveryBoiWeBuildIsaWormBoi - Unexpected npm packages published under your account
Remediation
If you have lightning version 2.6.2 or 2.6.3 in any project:
- Remove the package and downgrade to a safe version
- Rotate all GitHub tokens, cloud credentials, and API keys that were present in the affected environment
- Scan your repositories for the injected files listed above
- Check your npm tokens and audit published packages for unauthorized modifications
Semgrep has published an advisory and rule; trigger a new scan on your projects and check the advisories page at semgrep.dev/orgs/-/advisories to see if any projects have installed these versions.
📖 Read the full source: HN AI Agents
👀 See Also
Supply-chain attack uses invisible Unicode code to bypass detection
Researchers discovered 151 malicious packages uploaded to GitHub from March 3-9 using invisible Unicode characters to hide malicious code. The attack targets GitHub, NPM, and Open VSX repositories with packages that appear legitimate but contain hidden payloads.
Malwar: A Vulnerability Scanner for SKILL.md Files Built with Claude Code
A developer has released Malwar, a free tool that scans SKILL.md files for malicious instructions using a 4-layer pipeline including a rule engine, URL crawler, LLM analysis, and threat intel. The tool was built entirely with Claude Code after the developer found concerning patterns like Base64 blobs and instructions to pipe curl output to bash in existing skills.
Potential Claude Security Incident: Self-Sent Password Alerts and Suspicious .NET Process
A user reports receiving suspicious password reset alerts that appeared to be sent from their own account after logging into Claude, with emails vanishing minutes later and an unusual .NET process blocking system shutdown.
Coldkey: Post-Quantum Age Key Generation and Paper Backup Tool
Coldkey generates post-quantum age keys (ML-KEM-768 + X25519) and produces single-page printable HTML backups with QR codes for offline storage.