By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Popular lightning PyPI Package Backdoored in Latest Shai-Hulud Wave

Malicious versions 2.6.2 and 2.6.3 of the PyPI package lightning execute a hidden Bun-based JavaScript payload on import. The package has been promptly quarantined by the PyPI administrators.

‍

Malicious versions 2.6.2 and 2.6.3 of the PyPI package lightning execute a hidden Bun-based JavaScript payload on import. The package has been promptly quarantined by the PyPI administrators.

‍

Malicious versions 2.6.2 and 2.6.3 of the PyPI package lightning execute a hidden Bun-based JavaScript payload on import. The package has been promptly quarantined by the PyPI administrators.

‍

Open Report

View Report

Written by

Henrik Plate

Published on

April 30, 2026

Updated on

April 30, 2026

Topics

Malware

Security

Malicious versions 2.6.2 and 2.6.3 of the PyPI package lightning execute a hidden Bun-based JavaScript payload on import. The package has been promptly quarantined by the PyPI administrators.

‍

Malicious versions 2.6.2 and 2.6.3 of the PyPI package lightning execute a hidden Bun-based JavaScript payload on import. The package has been promptly quarantined by the PyPI administrators.

‍

Open Report

View Report

Summarize with AI

TL;DR

Two versions of lightning, a widely used Python package downloaded roughly 8 million times per month, have been identified as malicious and removed. The package is a popular tool used by developers and AI/ML teams to build and train machine learning models — meaning the affected versions could have reached a large number of organizations.

The compromised versions (2.6.2 and 2.6.3) have been identified as malicious and quarantined. The compromised builds trigger a hidden background process the moment import lightning runs: lightning/_runtime/start.py silently downloads the Bun JavaScript runtime from an external source and uses it to execute an 11.4MB payload (router_runtime.js), with stdout and stderr redirected to DEVNULL to suppress any visible output.

This behavior — a hidden init-time hook, an out-of-ecosystem runtime fetch, and an oversized obfuscated JS payload run under cover of silenced I/O — is inconsistent with the package's prior benign releases and matches the tradecraft seen in recent Shai-Hulud waves, which have leaned on Bun specifically to evade Node and Python tooling. Treat any environment that installed these versions as potentially compromised: pin to a known-good release, rotate developer and CI credentials (npm, PyPI, GitHub, cloud), and audit for outbound connections from Python processes importing lightning.

We are currently analysing the dropped payloads and will publish a full technical breakdown shortly. However, the tradecraft and likely blast radius closely mirror earlier Shai-Hulud waves we have covered (here and here), and we expect a similar credential-theft and self-propagation impact.

Affected Packages

Package	Malicious Version	Last Clean Version
`lightning`	`2.6.2`	`2.6.1`
`lightning`	`2.6.3`	`2.6.1`

Immediate action: pip cache remove lightning && pip uninstall lightning && pip install lightning==2.6.1 --no-deps — verify the pinned version pre-dates the compromise before installing. pip cache remove is critical: without it, pip may silently reinstall a compromised wheel from local cache. Assume all cloud and developer credentials on any host that imported a compromised version are exposed.