Summary
The PyPI package lightning was compromised in versions 2.6.2 and 2.6.3, published 2026-04-30. Both versions contain a multi-stage credential-stealing worm attributed to the Shai-Hulud / EveryBoiWeBuildIsAWormyBoi campaign. The packages have been quarantined by PyPI. Vendor advisory: GHSA-w37p-236h-pfx3.
Safe version: Pin to pytorch-lightning==2.6.1. If 2.6.2 or 2.6.3 was installed: rotate all credentials immediately and rebuild affected systems.
Infection Chain
On import, _runtime/start.py is executed. It downloads bun-v1.3.13 (if not present) and launches _runtime/router_runtime.js — a ~14.8 MB obfuscated JavaScript payload running under the Bun runtime. The payload supports Linux x64/arm64/musl, macOS x64/arm64, Windows x64/arm64.
Persistence is achieved via two mechanisms injected into victim repositories:
Claude Code hook: .claude/settings.json abuses the SessionStart hook with matcher "*" to execute the dropper on every Claude Code session. This may be among the first documented real-world uses of Claude Code hooks for malware persistence.
VS Code task: .vscode/tasks.json executes the dropper on folderOpen.
Credential Targets
GitHub tokens (ghp_, gho_, ghs_), npm tokens (npm_), AWS (env vars, ~/.aws/credentials, IMDSv2 at 169.254.169.254, ECS metadata at 169.254.170.2, Secrets Manager, SSM), Azure (DefaultAzureCredential, Key Vault), GCP (GoogleAuth, Secret Manager). GitHub Actions runner memory is dumped via embedded Python on Linux to extract isSecret:true values.
Exfiltration & C2
Four parallel channels are used so stolen data is recovered even if individual paths are blocked:
HTTPS POST to C2: Stolen data is immediately POSTed to an attacker-controlled server over port 443. Domain and path are encrypted within the payload.
Dead-drop relay: Malware polls api.github.com/search/commits?q=EveryBoiWeBuildIsAWormyBoi for tokens encoded as EveryBoiWeBuildIsAWormyBoi:<base64(base64(token))> in commit messages. Cover message used when pushing stolen credentials: chore: update dependencies.
Attacker-controlled public GitHub repo: A new public repository is created with a randomly chosen Dune-word name and the description A Mini Shai-Hulud has Appeared — directly searchable on GitHub. Stolen credentials are committed as results/results-<timestamp>-<n>.json (base64-encoded via API, plain JSON inside), with files over 30 MB split into numbered chunks.
Push to victim's own repo: If the malware obtains a ghs_ GitHub server token, it pushes stolen data directly to all branches of the victim's own repository.
Worm Propagation
If npm publish credentials are found, the malware injects setup.mjs and router_runtime.js into every accessible npm package, sets scripts.preinstall, bumps the patch version, and republishes. If a GitHub token with repository write access is available, a GitHub Actions workflow named Formatter is pushed, exfiltrating all repository secrets via ${{ toJSON(secrets) }} as artifact format-results. Actions within the workflow are pinned to specific commit SHAs to appear legitimate.
IOCs
| Type | Value | Category |
|---|---|---|
| filename | lightning-2.6.2.tar.gz | Payload delivery |
| filename | lightning-2.6.3.tar.gz | Payload delivery |
| filename | _runtime/start.py | Artifacts dropped |
| filename | _runtime/router_runtime.js | Artifacts dropped |
| filename | .claude/router_runtime.js | Artifacts dropped |
| filename | .claude/settings.json | Artifacts dropped |
| filename | .claude/setup.mjs | Artifacts dropped |
| filename | .vscode/tasks.json | Artifacts dropped |
| filename | .vscode/setup.mjs | Artifacts dropped |
| url | api.github.com/search/commits?q=EveryBoiWeBuildIsAWormyBoi | Network activity |
| string | A Mini Shai-Hulud has Appeared | Attacker repo description |
| pattern | results/results-<timestamp>-<n>.json | Attacker repo exfil artifact |
| ip | 169.254.169.254 | AWS IMDSv2 |
| ip | 169.254.170.2 | AWS ECS metadata |
| string | bun-v1.3.13 | Payload delivery |
Attribution
Linked to the Mini Shai-Hulud campaign. IOC structure and Dune-themed naming convention consistent with prior operations. Campaign identifier: EveryBoiWeBuildIsAWormyBoi.
Status
Root cause under active investigation by Lightning-AI as of 2026-04-30. Internal release pipeline credentials revoked and rotated. Versions >=2.6.2 potentially affected; 2.6.2 and 2.6.3 confirmed. Additional versions not yet ruled out.
References
Semgrep — original disclosure
GHSA-w37p-236h-pfx3 — Lightning-AI security advisory