Two malicious releases of the popular `lightning` PyPI package (versions 2.6.2 and 2.6.3) were published on April 30, 2026, shipping a hidden `_runtime` directory that downloads the Bun JavaScript runtime and executes an ~11 MB obfuscated credential stealer at import time. The payload harvests GitHub tokens, npm tokens, and cloud credentials; poisons victim repositories with commits spoofed as Anthropic Claude Code activity; and includes npm worm logic to self-propagate. PyPI has quarantined the project. The attack used a stolen long-lived PyPI API token to publish wheels directly, bypassing the legitimate GitHub Actions workflow. The cipher signature in the payload matches earlier compromises (Bitwarden CLI, Checkmarx KICS, SAP CAP packages), indicating shared tooling across a broader campaign dubbed 'Mini Shai-Hulud.' Recommended actions include downgrading to 2.6.1, rotating all credentials from affected environments, auditing GitHub for unauthorized commits signed as 'claude', and checking CI/CD logs for unexpected Bun processes.
Table of contents
What's in the malicious packageHow the malicious wheels reached PyPIHow the disclosure unfolded on GitHubWhy "Bun in Python" mattersRecommended actionsWhat this tells us about the threat modelStart securing your Python appsSort: