pypi · Malicious package advisory
Malwarelightning
MAL-2026-3201
Malicious code in lightning (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (703ac419d775488be137d7e01517d768da0b5581ab63338fb9523f2289f2b92c) Versions 2.6.2, 2.6.3 were compromised. Compromised versions contain injected code that starts automatically during importing the module, downloads (legitimate) JavaScript runtime, and executes included JavaScript infostealer. It collects credentials from multiple sources (e.g. files, process memory, cloud metadata endpoints, CLI commands like gh or gcloud), sensitive cryptocurrency data, shell history files. It also attempts to spread itself using discovered credentials to other repositories and packages. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-04-compr-lightning Reasons (based on the campaign): - infostealer - files-exfiltration - exfiltration-ssh-keys - exfiltration-crypto - exfiltration-credentials - compromised-package
Compromised versions (2)
- 2.6.2
- 2.6.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.