Find notable cyber news and cases, enriched with sources, timelines, and signals.

Lightning PyPI router_runtime.js credential-stealing payload

Malware Activity
First reported
Last updated
Happening score
H score 29
2 unique sources, 2 articles

Summary

Hide ▲

The Lightning PyPI package was pushed in malicious versions 2.6.2 and 2.6.3 on April 30, 2026, turning a normal install into credential theft for developer and CI/CD environments. The builds automatically ran `start.py`, fetched the Bun runtime, and executed the obfuscated router_runtime.js payload. The malware harvested secrets including GitHub tokens, npm tokens, SSH keys, and cloud credentials, then tried to exfiltrate them to zero.masscan[.]cloud:443/v1/telemetry. It also used stolen tokens to write poisoned commits and republish tampered packages, extending the risk into downstream ecosystems.

Related Happenings

Operation Navy Ghost PyPI supply-chain campaign

Campaign
H score26 First: 01.07.2026 00:02 Last: 01.07.2026 00:02 Sources 1

About this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...

Deps credential stealer in hijacked Arch AUR builds

Malware Activity
H score3 First: 12.06.2026 22:24 Last: 12.06.2026 22:24 Sources 1

About this happening: **Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
H score3 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...

AUR package-hijacking campaign delivering atomic-lockfile

Campaign
H score11 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...

Shai-Hulud PyPI supply-chain malware activity

Malware Activity
H score22 First: 08.06.2026 23:41 Last: 08.06.2026 23:41 Sources 1

About this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...

Timeline

  1. 04.05.2026 20:15 1 articles · 2mo ago

    Microsoft Defender detects ShaiWorm in Lightning customer environments

    Detection Ioc Update

    Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.

    Show sources
  2. 30.04.2026 19:31 1 articles · 2mo ago

    Lightning 2.6.2 and 2.6.3 published with credential theft

    Initial Disclosure

    Malicious Lightning package versions 2.6.2 and 2.6.3 were published on April 30, 2026 and delivered credential-theft code to developers and CI/CD users who installed them. Multiple security teams identified the releases as part of a software supply chain compromise and described the builds as consistent with credential harvesting.

    Show sources
  3. 30.04.2026 19:31 1 articles · 2mo ago

    Lightning payload auto-runs and steals developer secrets

    Technical Analysis Update

    The malicious Lightning package included a hidden `_runtime` directory, a `start.py` launcher, and an obfuscated `router_runtime.js` payload that executed automatically when the `lightning` module was imported. The chain downloaded the Bun JavaScript runtime, harvested GitHub tokens, validated them against `api.github[.]com/user`, encrypted stolen data, and used the access to write worm-like commits and repack tampered npm packages.

    Show sources
  4. 30.04.2026 19:31 1 articles · 2mo ago

    PyPI quarantines Lightning and removes the malicious releases

    Mitigation Patch Update

    PyPI quarantined the Lightning project, later removed versions 2.6.2 and 2.6.3, and left 2.6.1 as the last known clean release. Maintainers said the malicious versions were live for 42 minutes and advised removing the affected releases from developer systems, downgrading to 2.6.1, and rotating exposed credentials.

    Show sources