★ 9/10 · Security · 2026-04-30

PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials

A coordinated supply chain attack targeting the PyPI, npm, and Packagist ecosystems has been identified, involving the compromise of PyTorch Lightning and Intercom-client packages. The campaign, associated with the...

Captured 2026-04-30 16:31

PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials

Summary

A coordinated supply chain attack targeting the PyPI, npm, and Packagist ecosystems has been identified, involving the compromise of PyTorch Lightning and Intercom-client packages. The campaign, associated with the "Mini Shai-Hulud" incident, utilizes malicious updates to execute obfuscated JavaScript payloads designed for comprehensive credential theft and repository propagation.

Key Points

  • Malicious PyTorch Lightning versions 2.6.2 and 2.6.3 were published to PyPI via compromised publishing credentials, bypassing the GitHub source repository.
  • The intercom-client npm package (version 7.0.4) and intercom/intercom-php Packagist package (version 5.0.2) were identified as part of the same campaign.
  • The attack chain utilizes the Bun JavaScript runtime to execute an 11MB obfuscated payload named router_runtime.js.
  • Targeted data includes GitHub tokens, SSH keys, cloud credentials, Kubernetes secrets, Docker credentials, and .env files.
  • Exfiltration occurs via the endpoint zero.masscan[.]cloud:443/v1/telemetry or through the creation of public GitHub repositories using stolen tokens.
  • The malware features propagation capabilities that modify local package.json files with postinstall hooks and inject payloads into up to 50 repository branches.

Technical Details

The attack leverages automated execution hooks during the package installation process. In the PyTorch Lightning compromise, the malicious builds contained a hidden _runtime directory featuring a downloader. This triggers a Python script (start.py) that downloads and executes the Bun JavaScript runtime to run the router_runtime.js payload. For npm and Composer packages, the malware utilizes postinstall (npm) or post-install-cmd and post-update-cmd (Composer) hooks to execute a shell script (setup-intercom.sh) that initiates the same Bun-based execution chain.

The malware performs credential validation by checking stolen GitHub tokens against the api.github[.]com/user endpoint. Once validated, the malware performs an "upsert" operation, creating or overwriting files in up to 50 branches of a repository using a hardcoded identity designed to impersonate Anthropic's Claude Code. The npm-based propagation vector specifically targets the developer's local environment by modifying package.json with a postinstall hook and repacking .tgz tarballs, which infects downstream users if the tampered packages are published. In some instances, the infection occurs via transitive dependencies, such as the compromise of intercom-client via a local installation of pyannote-audio.

Impact / Why It Matters

Developers must immediately audit environments for PyTorch Lightning versions 2.6.2 and 2.6.3 and downgrade to the last known clean version, 2.6.1. All exposed credentials, including GitHub tokens, SSH keys, and cloud provider secrets, must be rotated immediately.

security supply chain attack python

↳ Sources