lightning PyPI Package Compromised in Supply Chain Attack

What Happened

A popular software package called 'lightning', used by developers for artificial intelligence projects, was hacked. The attackers inserted malicious code into versions 2.6.2 and 2.6.3 that automatically steals passwords and access tokens for cloud services and code repositories. This matters because it can give attackers deep access to a company's sensitive data and allow the infection to spread to other software projects. Anyone using the affected versions should immediately remove them, downgrade to version 2.6.1, and change all their passwords and security tokens.

Key Takeaways

• The popular PyPI package 'lightning' was compromised in versions 2.6.2 and 2.6.3 to include malicious code.
• The malware downloads the Bun runtime to execute an 11MB obfuscated JavaScript payload ('router_runtime.js') upon module import.
• The payload harvests cloud and developer credentials, including AWS, Azure, GCP, GitHub, and npm tokens.
• Stolen GitHub tokens are used to poison repositories by committing malicious code while impersonating Anthropic's Claude Code.
• The malware also infects local npm tarballs by injecting a malicious 'setup.mjs' script into the postinstall hook.

Affected Systems

• Python AI and machine learning environments using the 'lightning' PyPI package (versions 2.6.2 and 2.6.3)
• Developer workstations
• CI/CD pipelines
• GitHub repositories

Attack Chain

The attack begins when a developer installs the compromised 'lightning' PyPI package (versions 2.6.2 or 2.6.3). Upon importing the module, a hidden script ('start.py') downloads the Bun JavaScript runtime and executes an 11MB obfuscated payload ('router_runtime.js'). This payload harvests cloud and developer credentials from the environment and local endpoints. It then uses stolen GitHub tokens to poison accessible repositories by committing itself under the guise of Anthropic's Claude Code, and infects local npm tarballs by injecting a malicious 'setup.mjs' script into the postinstall hook.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.) but outlines behavioral indicators, file paths, and file hashes for identifying the compromise.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect the unexpected download and execution of the Bun runtime by a Python process, as well as the subsequent network connections to cloud metadata APIs and GitHub/npm endpoints. Network Visibility: Medium — Network monitoring can spot unusual outbound connections to AWS IMDS (169.254.169.254) from developer workstations, but API calls to GitHub and npm are TLS-encrypted and may blend with legitimate developer traffic. Detection Difficulty: Moderate — While the initial execution chain (Python spawning Bun) is anomalous, the subsequent actions (API calls to GitHub/npm) use legitimate stolen tokens, making them harder to distinguish from normal developer activity without strict behavioral baselining.

Required Log Sources

• Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
• Network Connection Logs (Sysmon Event ID 3)
• GitHub Audit Logs
• CI/CD Pipeline Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for Python processes spawning unknown or unexpected runtimes like 'bun' or 'node', especially from temporary or hidden directories.	Process Execution	Execution	Low
Identify unusual outbound network connections to cloud metadata IP addresses (e.g., 169.254.169.254) originating from non-standard processes like Bun or Node.js on developer workstations.	Network Traffic	Credential Access	Low
Monitor GitHub audit logs for commits authored by 'claude@users.noreply.github.com' in repositories that do not officially integrate or use Anthropic's Claude Code.	Application Logs	Persistence	Low
Search for the creation of hidden directories named '.claude' containing JavaScript files within source code repositories.	File System	Persistence	Low

Control Gaps

• Lack of egress filtering for cloud metadata APIs on developer workstations
• Insufficient branch protection rules allowing direct commits to non-default branches without review

Key Behavioral Indicators

• Python process spawning Bun runtime
• Commits authored by claude@users.noreply.github.com
• Presence of .claude/router_runtime.js
• Unexpected version bumps in local npm tarballs

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Remove lightning versions 2.6.2 and 2.6.3 from all affected systems.
• Downgrade to lightning version 2.6.1.
• Rotate all potentially exposed credentials (GitHub tokens, npm tokens, AWS/Azure/GCP credentials, environment variables).

Infrastructure Hardening

• Implement strict egress filtering to block unauthorized access to cloud metadata endpoints (169.254.169.254) from developer workstations.
• Enforce branch protection rules, required status checks, and workflow approvals on all GitHub repositories.

User Protection

• Audit local npm tarballs (.tgz files) for unexpected postinstall entries and version bumps.
• Review GitHub Actions logs for unexpected workflow runs, particularly from .github/workflows/format-check.yml.

Security Awareness

• Educate developers on the risks of supply chain attacks and the importance of verifying package versions before installation.
• Establish a clear incident response protocol for suspected compromised dependencies.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1552.004 - Credentials from Password Stores: Private Keys
• T1552.005 - Credentials from Password Stores: Cloud Instance Metadata API
• T1078.004 - Valid Accounts: Cloud Accounts
• T1036.005 - Masquerading: Match Legitimate Name or Location
• T1528 - Steal Application Access Token

Additional IOCs

• Urls:
  • hxxp://169[.]254[.]170[.]2 - AWS ECS credential endpoint targeted for credential theft
  • hxxps://oauth2[.]googleapis[.]com/tokeninfo - Google Cloud OAuth2 token introspection endpoint used by the malware
  • hxxps://api[.]github[.]com/user - GitHub API endpoint used to validate stolen tokens
  • hxxps://registry[.]npmjs[.]org/-/whoami - npm registry endpoint used to validate stolen tokens
• File Hashes:
  • f1b3e7b3eec3294c4d6b5f87854a52471f03997f (SHA1) - Obfuscated JavaScript payload (router_runtime.js)
  • 40d0f21b64ec8fb3a7a1959897252e09 (MD5) - Obfuscated JavaScript payload (router_runtime.js)
• File Paths:
  • start.py - Hidden script in the lightning package that downloads and executes Bun
  • setup.mjs - Malicious script injected into the root of local npm packages
  • .github/workflows/format-check.yml - Workflow file associated with the malicious commits
• Command Lines:
  • Purpose: Executes the injected payload during npm package installation | Tools: node | Stage: Execution | node setup.mjs
• Other:
  • pl-ghost - Compromised GitHub maintainer account used to suppress disclosures and attempt lateral movement
  • dependabot/fix-deds - Suspicious branch name used by the compromised maintainer account for lateral movement
  • https://smp15.simplex.im/g#1eF0NSovWk6C5NugAjpbcNHk_aw_GJo49k_1kpdiQRw - SimpleX contact link provided in the Team PCP announcement
  • 05a04c7c548c39e903c5913973dd55b6f3d9c1a10d346ca9d49d10b9428095823e - Session contact ID provided in the Team PCP announcement
  • BA8D312391E2E379144046841FC97EDF1DD2D400E3AB3B3DAAF08D8569AE2D43AB997A5069F2 - TOX contact ID provided in the Team PCP announcement
  • https://breached.st/members/teampcp.336107/ - Breached forum profile linked in the Team PCP announcement