"The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload. The execution chain runs automatically when the lightning module is imported, requiring no additional user action after installation and import."
"The operation is an upsert: it creates files that do not yet exist and silently overwrites files that do. No pre-conditions are required for the attack to succeed."
Two malicious versions of the Lightning Python package, 2.6.2 and 2.6.3, were published on April 30, 2026, leading to a credential theft attack. The attack is linked to the Mini Shai-Hulud incident targeting SAP-related npm packages. The malicious package contains a hidden directory with a downloader and an obfuscated JavaScript payload that executes automatically upon import. The attack allows for the downloading and execution of a malicious payload aimed at credential theft, with GitHub tokens being validated for further exploitation. The project maintainers are investigating the incident.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]