ON 30 April 2026, a supply chain compromise was identified in the lightning PyPI package, affecting versions 2.6.2 and 2.6.3. On import, a daemon thread silently downloads the Bun JavaScript runtime from GitHub and executes router_runtime.js, an 11 MB heavily obfuscated payload.
The malware steals tokens, credentials, environment variables and cloud secrets, and abuses the GitHub API to commit exfiltrated data to repositories using the victim’s own credentials; it also infects npm package tarballs on the developer’s machine. The project’s GitHub account shows signs of compromise, with issues reporting the attack closed rapidly by suspicious responses. The last clean release before this was 2.6.1, published on 30 January 2026. This is a developing story, with full payload analysis ongoing and updates expected as additional details become available.