Chris Murphy

🚨 Two major supply chain attacks today, hitting both PyPI and npm simultaneously. Socket detected and confirmed malicious code in lightning versions 2.6.2 and 2.6.3 on PyPI, and intercom-client version 7.0.4 on npm. Both attacks use nearly identical tooling. Both are live right now. lightning is one of the most popular deep learning frameworks in the Python ecosystem, with millions of downloads per month. intercom-client is Intercom's official Node.js SDK, with roughly 360K weekly downloads. These are not typosquats. These are the real packages. The payloads are almost identical across both attacks: • Both inject an ~11MB obfuscated JavaScript file (router_runtime.js) and a setup script that downloads and executes the Bun runtime from GitHub • Both harvest GitHub tokens, npm tokens, AWS/Azure/GCP credentials, Kubernetes secrets, Vault tokens, and CI/CD environment variables • Both exfiltrate stolen credentials through the GitHub API • Both execute automatically, lightning on import, intercom-client on install The lightning attack goes further. It uses stolen GitHub tokens to commit poisoned files to every branch of every repository the token can write to, impersonating Anthropic's Claude Code as the committer ([email protected]). It also infects local npm tarballs by injecting a postinstall hook and bumping the patch version, so the next publish silently ships malware to downstream users. In both cases, the attackers appear to have compromised maintainer accounts and used them to suppress disclosure. On the Lightning-AI GitHub, the pl-ghost account closed Socket's disclosure issue within one minute and posted a meme. On the Intercom GitHub, the nhur account closed, redacted, and retitled security reports to "N/A." Both accounts show bursts of suspicious branch-creation activity consistent with the Shai-Hulud worm's credential-probing pattern, including misspelled Dependabot impersonation branches. The attackers posted an onion link in the Lightning-AI issue thread claiming affiliation with "Team PCP" and referencing LAPSUS$. Socket has not verified these claims. The intercom-client attack also shows direct Shai-Hulud hallmarks, including repos created with descriptions reading "A Mini Shai-Hulud has Appeared." Socket's AI scanner flagged the malicious lightning versions 18 minutes after publication. If you use either package: • Remove lightning 2.6.2/2.6.3 and intercom-client 7.0.4 immediately • Downgrade to lightning 2.6.1 / intercom-client 7.0.3 • Rotate all credentials in affected environments • Audit repos for unauthorized commits from [email protected] and unexpected files in .claude/ or .vscode/ • More advice in our full research posts... This is the same attacker campaign operating across two language ecosystems simultaneously. The playbook is credential theft, repo poisoning, and worm-style propagation. The scope is still being determined. Developing story...