Many New Zealand businesses rely on open-source Python and JavaScript packages for AI, analytics, and SaaS integrations — often pulled directly into CI/CD pipelines. The compromise of PyTorch Lightning and intercom-client shows how a single poisoned dependency can harvest credentials, propagate worm-like through GitHub, and reach downstream customers within hours. If your dev teams or data science groups consume these packages, you may already be exposed.

What Happened

Threat actors published two malicious versions of the popular lightning PyPI package (2.6.2 and 2.6.3) on 30 April 2026. Once imported, the package silently launches a Python script that downloads the Bun JavaScript runtime and executes an 11MB obfuscated payload (router_runtime.js) designed for broad credential theft. PyPI has quarantined the project, and maintainers are investigating what appears to be a compromise of the project's GitHub account.

The attack is notable for its worm-like propagation. Stolen GitHub tokens are validated, then used to push poisoned commits to up to 50 branches across every repository the token can write to — overwriting existing files and impersonating Anthropic's Claude Code in commit metadata. The malware also tampers with locally installed npm packages, adding a postinstall hook, bumping the patch version, and repacking tarballs so any subsequent npm publish spreads the infection downstream.

In parallel, version 7.0.4 of intercom-client on npm was compromised as part of the same "Mini Shai-Hulud" campaign that hit SAP-related npm packages earlier in the week. Both incidents are attributed to TeamPCP, a threat actor with ties to LAPSUS$ and a track record of supply chain attacks against Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy.

The targets are developer secrets — GitHub tokens, npm credentials, cloud keys, and CI/CD service principals. Once harvested, these enable lateral movement into source code, build pipelines, and production cloud environments, making this a direct threat to software integrity and customer trust.

Key Takeaways

  • Malicious lightning 2.6.2 and 2.6.3 on PyPI, and intercom-client 7.0.4 on npm, contain credential-stealing payloads.

  • Execution is automatic on import or install — no user interaction required.

  • Stolen GitHub tokens are weaponised to spread poisoned commits across all writable repositories.

  • The malware tampers with local npm packages so developers unwittingly publish infected versions.

  • The campaign is linked to TeamPCP, the same group behind recent Checkmarx and Bitwarden supply chain incidents.

  • Last known clean Lightning version is 2.6.1; intercom-client should be downgraded below 7.0.4.

What NZ Businesses Should Do

  1. Audit and remediate immediately. Block Lightning 2.6.2/2.6.3 and intercom-client 7.0.4 across developer workstations, build agents, and container images. Downgrade to clean versions, then rotate every GitHub token, npm token, cloud key, and CI/CD secret that touched affected environments.

  2. Hunt for indicators of compromise. Look for unexpected Bun runtime installations, the _runtime directory, suspicious postinstall hooks in package.json, and recent commits attributed to Claude Code identities you didn't authorise. Trend Vision One™ Security Operations (XDR with Agentic SIEM and SOAR) can correlate developer endpoint, identity, and cloud telemetry to surface this activity quickly.

  3. Lock down your software supply chain. Use Trend Vision One™ Cloud Security / CNAPP to scan IaC, container images, and dependencies for known-malicious packages, and enforce policy in CI/CD before artefacts ship.

  4. Reduce exposure of developer identities. Trend Vision One™ Identity Security (ISPM + ITDR) helps detect stolen-token reuse and anomalous GitHub or cloud API behaviour, while Trend Vision One™ Cyber Risk Exposure Management (CREM) continuously surfaces over-permissioned tokens and exposed secrets.

  5. Govern AI tooling and shadow AI. With attackers impersonating AI assistants in commits, deploy AI Secure Access to control which GenAI tools developers use and how they interact with code.

Source: Read the full article on The Hacker News