Socket finds lightning PyPI compromise

Python packages are supposed to be boring. You install one, import it, and get on with your work. But the `lightning` compromise broke that assumption in a nasty way — two PyPI releases, 2.6.2 and 2.6.3, turned a routine machine-learning dependency into a credential stealer that fired as soon as code imported the library on April 30. Socket flagged the packages within 18 minutes, Lightning AI later confirmed the compromise, and PyPI quarantined the project while maintainers published a critical advisory. (socket.dev) ### What got compromised? The package was `lightning`, the Python distribution behind the Lightning AI deep-learning framework that many teams still think of as PyTorch Lightning. It is widely used in research notebooks, training scripts, MLOps pipelines, and production AI systems, which is exactly why this hit so hard — the machines importing it often hold cloud credent(socket.dev)6.1, published on January 30, 2026. (socket.dev) ### Why was `import lightning` enough? Because the malicious code was wired into the package import path. Researchers found a hidden `_runtime` directory inside the wheel and a modified `__init__.py` that spawned a background daemon thread. That thread downloaded the Bun JavaScript runtime from GitHub and executed `router_runtime.js`, a heavily obfuscated payload around (socket.dev)e malware ran quietly while the developer saw a working library. (socket.dev) ### What was the payload trying to steal? Basically everything you would hate to lose on a developer box or CI runner. The analyses point to theft of tokens, local credentials, environment variables, cloud secrets, and GitHub access. Sonatype and StepSecurity both say the code targeted multi-cloud environments — AWS, Azure, and Google Cloud showed up in the payload’s beh(socket.dev)erial, and cloud-related secrets. (socket.dev) ### Why does Bun matter here? Bun is just the runtime the attackers used to execute the JavaScript stealer. That detail matters because it shows how cross-ecosystem these attacks have become. The malicious Python package did not need to carry all of its logic as readable Python. It used Python as a loader, then switched into an obfuscated JS payload. That makes static in(socket.dev)yPI-style compromises. (socket.dev) ### Was 2.6.3 a fix? No — and that is one of the most important details. Sonatype says 2.6.3 arrived 13 minutes after 2.6.2 and retained the malicious functionality with small changes to metadata and loader behavior. So anyone who upgraded from 2.6.2 to 2.6.3 thinking they were moving to safety would still be exposed. Lightning AI’s advisory treats affected versions as `(socket.dev)3 were compromised. (sonatype.com) ### Is this a one-off or part of a pattern? Turns out it looks like part of a broader campaign. Several security teams tie the package to the Shai-Hulud or “Mini Shai-Hulud” family — self-propagating supply-chain malware that steals credentials and then uses those credentials to poison more packages or repositories. StepSecurity says the pattern f(sonatype.com)PIs and even infect local npm package tarballs. (stepsecurity.io) ### What should affected teams do now? Treat any machine that installed or imported 2.6.2 or 2.6.3 as potentially compromised. Roll back to 2.6.1 or lower, rotate tokens and cloud credentials, inspect GitHub access, and review CI systems and developer laptops for secondary spread. The bigger lesson is simple — package i(stepsecurity.io)ght next to your most valuable secrets. (socket.dev)