lightning: Obfuscated JavaScript Credential Stealer Bundled in PyPI Wheel
The lightning PyPI package versions 2.6.2 and 2.6.3 were compromised on April 30, 2026, containing obfuscated JavaScript code designed to steal credentials. The project's GitHub account showed signs of compromise, with suspicious responses closing vulnerability reports.
- Disclosed
- Last updated
- Blast radius
- PyPI package users; direct dependents of lightning 2.6.2 and 2.6.3
- Ecosystems
- Attack vectors
- Affected entities
- lightning · 2.6.2, 2.6.3
On April 30, 2026, a supply chain compromise was identified affecting the lightning package on PyPI. Versions 2.6.2 and 2.6.3 contained obfuscated JavaScript credential stealer code bundled within the wheel distribution.\n\nInvestigation revealed that the project's GitHub account exhibited signs of compromise. Issues reporting the attack were rapidly closed by suspicious accounts responding to the reports, suggesting active control by threat actors during the incident window.\n\nThe use of obfuscated JavaScript in a Python wheel indicates a sophisticated attack designed to evade automated detection and make reverse engineering more difficult for security researchers and package maintainers.
Remediation
- Immediately uninstall or upgrade lightning to a patched version beyond 2.6.3
- Audit any systems that installed lightning 2.6.2 or 2.6.3 for credential compromise or unauthorized access
- Review git history and access logs for the lightning GitHub repository to identify the exact point of compromise
- Implement code signing and verification for all PyPI packages in your dependency chain
- Use dependency scanning tools to detect vulnerable or compromised packages in real-time
Sources
Cite this entry
"lightning: Obfuscated JavaScript Credential Stealer Bundled in PyPI Wheel." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed April 30, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/lightning-obfuscated-javascript-credential-stealer-bundled-in-pypi-wheel-1h10or
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedcritical
TeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Package
The xinference package on PyPI was compromised with a two-stage credential stealer attributed to the TeamPCP threat actor. The malicious code was injected into the package, potentially affecting users who installed compromised versions.
PyPICompromised packageMalicious maintainer - activecritical
The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave
TeamPCP conducted a multi-ecosystem supply chain compromise targeting the @antv package and associated development infrastructure. The attack leveraged GitHub, NPM, and VSCode to steal credentials and establish persistence mechanisms.
npmOtherAccount takeoverCompromised packageMalicious maintainer - resolvedcritical
Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack
StepSecurity detected a compromise of axios, described as the largest npm supply chain attack on a single package by download count. A state-sponsored threat actor is reported to have actively suppressed warnings by deleting GitHub issues. Detection occurred before public disclosure.
npmCompromised packageMalicious maintainer - activecritical
Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor
Three IoliteLabs VSCode extensions (solidity-macos, solidity-windows, solidity-linux) containing obfuscated backdoors targeting Solidity and Web3 developers across Windows, macOS, and Linux. The backdoors download remote payloads and establish persistence mechanisms on infected systems.
Container registryOtherCompromised packageMalicious maintainer