PyPI package lightning versions 2.6.2 and 2.6.3 contain credential-stealing malware that executes on import, targeting local dev, CI, and all major clouds.
Key Takeaways
Malicious code lives in a hidden _runtime directory with an obfuscated 14.8 MB JavaScript payload run via Bun; activates on import lightning.
Steals tokens, env vars, AWS/Azure/GCP secrets, and GitHub Actions runner memory; four parallel exfiltration channels resist blocking.
Worm propagates cross-ecosystem: if npm publish credentials are found, it injects a dropper into every publishable npm package and republishes.
Persistence via Claude Code (SessionStart hook in .claude/settings.json) and VS Code (folderOpen task in .vscode/tasks.json); may be first documented real-world abuse of Claude Code hooks.
Safe version is 2.6.1; 2.6.4 is in progress. Rotate all credentials and audit for .claude/, .vscode/, and _runtime/ artifacts in affected repos.
Hacker News Comment Review
Commenters confirmed active exfil: a GitHub repo search for “A Mini Shai-Hulud has Appeared” showed 2,200+ attacker-created repos created within one day of the attack going public.
NixOS unstable channel was flagged as shipping 2.6.2, expanding exposure beyond direct pip installs to Nix users who assumed reproducibility meant safety.
Broader debate surfaced around whether supply chain attacks are genuinely increasing or just more visible, with dependency minimization via LLM-generated vanilla JS floated as a practical mitigation for hobby and internal tooling.
Notable Comments
@brahman81: Lightning-AI team confirmed active investigation and officially recommended pinning to 2.6.1 while 2.6.4 is prepared.
@0fflineuser: NixOS unstable is shipping the infected 2.6.2 build, meaning Nix users are exposed despite the reproducible-builds model.
