Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Lightning PyPI router_runtime.js credential-stealing payload

Malware Activity
First reported
Last updated
Happening score
H score 21
2 unique sources, 2 articles

Summary

Hide ▲

The Lightning PyPI package was pushed in malicious versions 2.6.2 and 2.6.3 on April 30, 2026, turning a normal install into credential theft for developer and CI/CD environments. The builds automatically ran `start.py`, fetched the Bun runtime, and executed the obfuscated router_runtime.js payload. The malware harvested secrets including GitHub tokens, npm tokens, SSH keys, and cloud credentials, then tried to exfiltrate them to zero.masscan[.]cloud:443/v1/telemetry. It also used stolen tokens to write poisoned commits and republish tampered packages, extending the risk into downstream ecosystems.

Related Happenings

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Open Happening

Rwl.angular-console (Nx Console) hit by network compromise

Incident
First: 19.05.2026 10:49 Last: 19.05.2026 10:49 Sources 1

About this happening: The **Nx Console** extension **rwl.angular-console 18.95.0** was compromised on the **VS Code Marketplace**, exposing **developers** to a **credential-stealing** payload and suppl...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Inactive maintainer account 'atiertant' hit by network compromise

Incident
First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

About this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...

Open Happening

Node-ipc malicious versions with stealer/backdoor payload

Malware Activity
First: 14.05.2026 20:22 Last: 14.05.2026 20:22 Sources 1

About this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...

Open Happening

Timeline

  1. 04.05.2026 20:15 1 articles · 23d ago

    Microsoft Defender detects ShaiWorm in Lightning customer environments

    Detection Ioc Update

    Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.

    Show sources
    Open in new tab
  2. 30.04.2026 19:31 1 articles · 27d ago

    Lightning 2.6.2 and 2.6.3 published with credential theft

    Initial Disclosure

    Malicious Lightning package versions 2.6.2 and 2.6.3 were published on April 30, 2026 and delivered credential-theft code to developers and CI/CD users who installed them. Multiple security teams identified the releases as part of a software supply chain compromise and described the builds as consistent with credential harvesting.

    Show sources
    Open in new tab
  3. 30.04.2026 19:31 1 articles · 27d ago

    Lightning payload auto-runs and steals developer secrets

    Technical Analysis Update

    The malicious Lightning package included a hidden `_runtime` directory, a `start.py` launcher, and an obfuscated `router_runtime.js` payload that executed automatically when the `lightning` module was imported. The chain downloaded the Bun JavaScript runtime, harvested GitHub tokens, validated them against `api.github[.]com/user`, encrypted stolen data, and used the access to write worm-like commits and repack tampered npm packages.

    Show sources
    Open in new tab
  4. 30.04.2026 19:31 1 articles · 27d ago

    PyPI quarantines Lightning and removes the malicious releases

    Mitigation Patch Update

    PyPI quarantined the Lightning project, later removed versions 2.6.2 and 2.6.3, and left 2.6.1 as the last known clean release. Maintainers said the malicious versions were live for 42 minutes and advised removing the affected releases from developer systems, downgrading to 2.6.1, and rotating exposed credentials.

    Show sources
    Open in new tab