PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials
Threat actors compromised the PyTorch Lightning Python package and the Intercom npm/Packagist packages on April 30, 2026, as part of the ongoing Mini Shai-Hulud campaign to steal developer credentials.
A coordinated software supply chain attack struck multiple open-source ecosystems on April 30, 2026, as threat actors pushed malicious versions of the popular PyTorch Lightning Python package and the Intercom client libraries for npm and Packagist. The campaign, assessed to be an extension of the Mini Shai-Hulud supply chain incident that targeted SAP-related npm packages earlier this week, aims to steal developer credentials including GitHub tokens, cloud credentials, and SSH keys.
According to security firms Aikido Security, OX Security, Socket, and StepSecurity, the attackers published malicious versions 2.6.2 and 2.6.3 of PyTorch Lightning on PyPI. PyTorch Lightning is an open-source Python framework that provides a high-level interface for PyTorch, with more than 31,100 stars on GitHub. The malicious package includes a hidden `_runtime` directory containing a downloader and an obfuscated JavaScript payload. The execution chain runs automatically when the `lightning` module is imported, requiring no additional user action after installation.
The attack chain begins with a Python script (`start.py`) that downloads and executes the Bun JavaScript runtime, which then runs an 11MB obfuscated malicious payload (`router_runtime.js`) designed for comprehensive credential theft. Harvested GitHub tokens are validated against the `api.github[.]com/user` endpoint before being used to inject a worm-like payload into up to 50 branches retrieved from every repository the token can write to. The operation performs an upsert — it creates files that do not yet exist and silently overwrites files that do — with every poisoned commit authored using a hardcoded identity designed to impersonate Anthropic's Claude Code.
The malware also implements an npm-based propagation vector that modifies the developer's local npm packages with a postinstall hook in the `package.json` file to invoke the malicious payload, increases the patch version number, and repacks the `.tgz` tarballs. If the unsuspecting developer publishes the tampered packages from their local environment, they are made available on npm, from where the malware ends up on downstream user systems. The project has been quarantined by PyPI administrators, and users are advised to downgrade to version 2.6.1 and rotate exposed credentials.
In a related development, version 7.0.4 of the `intercom-client` npm package was compromised as part of the same Mini Shai-Hulud campaign, following a similar modus operandi as the SAP packages to trigger credential-stealing malware using a preinstall hook. The campaign has also spread to Packagist with the compromise of `intercom/intercom-php` (version 5.0.2), which adapts the same credential-stealing mechanism for the PHP ecosystem using Composer plugin execution to download Bun via a shell script (`setup-intercom.sh`) triggered during install or update events.
The supply chain attack is attributed to a threat actor known as TeamPCP, which has now launched an onion website on the dark web after its account was suspended from X for violating the platform's rules. The group also claimed LAPSUS$ as a "good partner" and emphasized that it has "never used VECT encryption tools and we own CipherForce, our own private locker." The maintainers of PyTorch Lightning have acknowledged the issue and are actively investigating, with indications that the project's GitHub account has been compromised.