Malicious PyTorch Lightning Package Steals Credentials and Worms npm Packages

The PyPI package lightning — a deep learning framework used for image classification, LLM fine-tuning, diffusion models, and time-series forecasting — was compromised in a supply chain attack affecting versions 2.6.2 and 2.6.3, published on April 30, 2026. Simply running pip install lightning triggers the malicious code on import.
What the Malware Does
The malicious versions contain a hidden _runtime directory with obfuscated JavaScript payload that executes automatically upon module import. It steals:
- Credentials and authentication tokens
- Environment variables
- Cloud secrets
It also attempts to poison GitHub repositories by creating public repos named EveryBoiWeBuildIsaWormBoi. The attack uses Dune-themed naming conventions, consistent with the previous Mini Shai-Hulud campaign.
Cross-Ecosystem Spread: PyPI to npm
While the entry point is PyPI, the malware payload is JavaScript. Once running, if it finds npm publish credentials, it injects a setup.mjs dropper and router_runtime.js into every package that token can publish to. It sets scripts.preinstall to execute the dropper, bumps the patch version, and republishes. Any downstream developer who installs those packages runs the full malware, leading to token theft and further worm propagation.
Indicators of Compromise
Audit your projects for:
- Unexpected
.claude/or.vscode/directories with strange contents - New public repositories named
EveryBoiWeBuildIsaWormBoi - Unexpected npm packages published under your account
Remediation
If you have lightning version 2.6.2 or 2.6.3 in any project:
- Remove the package and downgrade to a safe version
- Rotate all GitHub tokens, cloud credentials, and API keys that were present in the affected environment
- Scan your repositories for the injected files listed above
- Check your npm tokens and audit published packages for unauthorized modifications
Semgrep has published an advisory and rule; trigger a new scan on your projects and check the advisories page at semgrep.dev/orgs/-/advisories to see if any projects have installed these versions.
📖 Read the full source: HN AI Agents
👀 See Also

OpenClaw User Shares Strategy for Balancing Agent Autonomy and Web Security
An OpenClaw user describes their current challenge: balancing agent autonomy with security, particularly regarding web access and prompt injection risks. They propose a solution using 'low trust' and 'high trust' agent segments with a human approval gate.

Caelguard: Open-source security scanner for OpenClaw skills
Caelguard is an MIT-licensed, locally-run scanner that detects security issues in OpenClaw skills, including prompt injection, credential harvesting, and obfuscated payloads. Research shows approximately 20% of published skills contain concerning patterns.

Claude Code Continues Logging Sessions After Revoke, User Reports 2-Week Support Silence
A Claude Code user reports that session logs continued appearing after revoking access, with Anthropic support unresponsive for two weeks. Logs included scopes like user:file_upload, user:ccr_inference, and user:sessions:claude_code.

Hidden Audio Signals Hijack Voice AI Systems with 79-96% Success Rate
Research shows imperceptible audio clips can force LALMs to execute unauthorized commands like web searches, file downloads, and email exfiltration with 79-96% success across 13 models including Mistral and Microsoft services.