EXECUTIVE SUMMARY
The malicious PyPI package lightning has been compromised in a supply chain attack, specifically targeting versions 2.6.2 and 2.6.3. The attacker appears to be using a credential-stealing malware, which executes automatically when the package is imported. The compromised package has been installed hundreds of thousands of times per day, making this a high-impact incident for Python AI and machine learning environments. The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload, which targets tokens, authentication material, repositories, environment variables, and cloud-related secrets.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The malicious PyPI package lightning has been compromised in a supply chain attack, specifically targeting versions 2.6.2 and 2.6.3. The attacker appears to be using a credential-stealing malware, which executes automatically when the package is imported. The compromised package has been installed hundreds of thousands of times per day, making this a high-impact incident for Python AI and machine learning environments. The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload, which targets tokens, authentication material, repositories, environment variables, and cloud-related secrets.[emaillocker id="1283"]
The attacker's goal is likely data theft, and the attack may be linked to broader extortion and data-leak activity. The malware infects systems through the compromised PyPI package, which is then imported into a project. The execution chain runs automatically, requiring no additional user action after installation and import. Once inside, the malware uses credential theft and exfiltration patterns to target tokens, authentication material, repositories, environment variables, and cloud-related secrets.
The attacker maintains control by using GitHub API abuse to commit encoded data to repositories using stolen tokens. The malware also uses a daemon thread with suppressed output to execute automatically when the lightning module is imported. This threat is significant because it affects a widely used deep learning framework and has been installed hundreds of thousands of times per day. The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload, which is difficult to detect. Organisations should treat any environment that installed and imported version 2.6.2 or 2.6.3 as compromised and take immediate actions to remove the package, downgrade to the last known clean version, and rotate credentials exposed in affected environments.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Reconnaissance | T1592 | Open-Source Intelligence | — |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1204 | User Execution | — |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1070 | Indicator Removal | — |
| Defense Evasion | T1564 | Hide Artifacts | — |
| Credential Access | T1003 | OS Credential Dumping | — |
| Credential Access | T1555 | Credentials from Password Stores | — |
| Collection | T1005 | Data from Local System | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Command and Control | T1573 | Encrypted Channel | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
reports contain further technical details:
https://socket.dev/blog/lightning-pypi-package-compromised