Every morning, thousands of developers pull the latest dependencies to train their models, trusting the integrity of the Python Package Index (PyPI). That trust was shattered when it was discovered that the official lightning package—a core component of the PyTorch Lightning framework—was weaponized in a sophisticated supply chain attack. On April 30, versions 2.6.2 and 2.6.3 were released containing malicious payloads designed to dismantle developer environments from the inside out.
The Anatomy of the Lightning Package Breach
The attack targeted the lightning package hosted on PyPI, ensuring that a simple `pip install lightning` command was enough to trigger the infection. Hidden deep within the package structure is a `_runtime` directory containing obfuscated JavaScript payloads that execute the moment the module is imported. Once active, the malware systematically harvests authentication tokens, environment variables, and cloud secret keys, while simultaneously poisoning local GitHub repositories. Security researchers have linked this campaign to the same threat actor behind the Mini Shai-Hulud operation, identified by the distinct EveryBoiWeBuildIsAWormyBoi prefix found in malicious commit messages.
A Cross-Ecosystem Strategy for Persistence
This incident marks a shift from traditional, siloed attacks to a cross-ecosystem strategy that leverages Python environments to propagate JavaScript-based worms. Once the attacker gains npm publishing permissions, they inject a `setup.mjs` dropper and `router_runtime.js` into every package accessible via the stolen tokens. By forcing version updates and re-publishing these packages, the attackers create a cascading infection chain that reaches downstream developers. Data exfiltration is equally sophisticated, utilizing four parallel channels to transmit stolen information via HTTPS POST requests to attacker-controlled servers. By leveraging the GitHub commit search API to exchange encrypted tokens, the malware effectively evades standard static analysis tools.
Weaponizing Developer Tooling for Permanent Access
The most alarming aspect of this breach is how it transforms standard developer tools into persistent backdoors. The malware targets `.claude/settings.json` to inject a `SessionStart` hook, ensuring that malicious scripts execute every time Claude Code is launched. A similar mechanism is applied to VS Code via the `.vscode/tasks.json` file. If the system lacks a JavaScript runtime, the malware automatically downloads and installs `bun-v1.3.13` from GitHub to ensure its own execution environment is ready. This effectively grants the attacker long-term control over the developer's workstation, turning everyday coding tools into instruments of espionage.
Security teams can now utilize detection rules provided by Semgrep to identify potential compromises. Developers should immediately visit the Semgrep advisory page to check their systems. If an infection is confirmed, the only viable path forward is to revoke all GitHub tokens and cloud credentials, followed by a complete reconstruction of the development environment.
