VYPR

pypi · Malicious package advisory

Malware

lightning

MAL-2026-3201

Malicious code in lightning (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: kam193 (703ac419d775488be137d7e01517d768da0b5581ab63338fb9523f2289f2b92c)
Versions 2.6.2, 2.6.3 were compromised.


Compromised versions contain injected code that starts automatically during importing the module, downloads (legitimate) JavaScript runtime, and executes included JavaScript infostealer. It collects credentials from multiple sources (e.g. files, process memory, cloud metadata endpoints, CLI commands like gh or gcloud), sensitive cryptocurrency data, shell history files. It also attempts to spread itself using discovered credentials to other repositories and packages.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-04-compr-lightning


Reasons (based on the campaign):


 - infostealer


 - files-exfiltration


 - exfiltration-ssh-keys


 - exfiltration-crypto


 - exfiltration-credentials


 - compromised-package

Compromised versions (2)

  • 2.6.2
  • 2.6.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.