PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Authentication
In yet another software supply chain attack, malicious actors were able to compromise the popular Python Lightning package to push two malicious versions to perform guaranteed theft.
According to Aikido Security, OX Security, Socket, and StepSecurity, the two malicious versions are versions 2.6.2 and 2.6.3, both published on April 30, 2026. This campaign is being tested as an extension of the Mini Shai-Hulud incident of the series targeting SAP-related npm packages on Wednesday.
As of writing, the project is isolated by the Python Package Index (PyPI) repository maintainers. PyTorch Lightning is an open source Python framework that provides a high-level interface for PyTorch. The open source project has over 31,100 stars on GitHub.
“The malicious package includes a hidden _runtime directory that contains a downloader and a cryptic JavaScript payload,” Socket said. “The kill chain runs automatically when the lightning module is imported, it does not require additional user action after installation and import.”
The attack chain paves the way for a Python script (“start.py”), which downloads and executes the Bun JavaScript runtime, and then uses it to launch an 11MB malicious payload (“router_runtime.js”) intended to perform complete authentication theft.
Among the credentials harvested, GitHub tokens are validated against “api.github[.]com/user” before it is used to inject the payload as a worm into up to 50 branches returned from all repositories the token can write to.
“The performance is annoying: it creates files that don’t exist yet and silently overwrites existing files,” Socket added. “No pre-screening of content is done. All poisoned submissions are authenticated using a hard-coded ID designed to mimic the Anthropic Claude Code.”
Alternatively, the malware uses an npm-based distribution vector that modifies the developer’s local npm packages with a hook posted in the “package.json” file to use malicious payloads, increase the patch version number, and repackage the .tgz tarballs. When an unsuspecting developer publishes compromised packages in their local environment, they are made available to npm, where the malware ends up on downstream user systems.
The caretakers of the project admitted that “we are aware of the matter and we are investigating it.” It is not yet clear how the incident happened, but indications are that the project’s GitHub account was compromised.
In another advisory, Lightning stated that an investigation is ongoing to determine the exact cause of the outage and that “the affected versions presented performance consistent with the certified harvesting method.”
For now, it is advised to block Lightning versions 2.6.2 and 2.6.3 and remove them from developer apps, if they are already installed. It is also important that you downgrade to the last known clean version, 2.6.1, and rotate the credentials displayed in the affected areas.
The supply chain attack is the latest addition to a long list of compromises by a threat actor known as TeamPCP, which has now launched Onion’s website on the dark web after its account was suspended from X for violating the platform’s rules.
It also called LAPSUS$, “a good partner and very involved in this whole project.” The group also made a point of emphasizing that it “never used VECT encryption tools and we own CipherForce, our private locker,” following a report from Check Point Research about vulnerabilities found in the ransomware’s encryption process.
Intercom npm Package Compromised as Part of Mini Shai-Hulud
In a related development, it has emerged that version 7.0.4 of the intercom-client has been compromised as part of the Mini Shai-Hulud campaign, following a similar methodology to that of SAP packages to initiate the creation of theft-verifying malware using a pre-installation hook.
“The overlap is important because the SAP CAP campaign was linked to TeamPCP’s work based on shared technical details, including different paid implementation patterns, GitHub-based releases, harvesting of fragments across developer and CI/CD environments, and similarities to previous attacks affecting Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy,” said Socket Security Trivy.
