Lightning 2.6.x Malware: Check Your Local AI Stack

📚 More on this topic: OpenClaw ClawHub Security Alert · OpenClaw Security Report — March 2026 · OpenClaw Security Guide

PyPI’s lightning package was compromised on April 30, 2026. If you train models, run pip install regularly, or use Claude Code in any of your repos, here’s the 5-minute audit you should run right now. I ran it on my own RTX 3090 box yesterday and was clean. The commands below are what I actually used.

The short version: lightning versions 2.6.2 and 2.6.3 ship with a 14.8 MB obfuscated JavaScript payload that steals cloud credentials, GitHub tokens, and Actions secrets, then plants Claude Code SessionStart hooks and a malicious GitHub Actions workflow that keeps exfiltrating on every push. It’s attributed to the same actor behind the recent Mini Shai-Hulud npm campaign. Semgrep’s writeup is the authoritative source.

What happened

On April 30, 2026, two new versions of the lightning package landed on PyPI: 2.6.2 and 2.6.3. Both contain a hidden _runtime/ directory. Inside that directory: a Python loader (_runtime/start.py) and a 14.8 MB obfuscated JavaScript file (_runtime/router_runtime.js). The Python entrypoint runs on import, which means a plain pip install lightning followed by any code that touches the package activates the payload.

The malware sweeps the filesystem and environment for anything that looks like a credential. Per Semgrep, that includes GitHub tokens (ghp_, gho_, ghs_, npm_ prefixes), AWS credentials via env vars, config files, IMDSv2, ECS, and Secrets Manager, Azure credentials via DefaultAzureCredential into Key Vault, GCP credentials into Secret Manager, and roughly 80 known credential file paths up to 5 MB each. On GitHub Actions runners it goes further and dumps the Runner.Worker process memory to lift secrets directly.

The exfiltration channel is GitHub itself. Stolen data is published to attacker-created repositories. Repo descriptions carry the string A Mini Shai-Hulud has Appeared, and commit messages are prefixed with EveryBoiWeBuildIsAWormyBoi. Both are easy IOCs to grep for if you maintain access logs or audit GitHub orgs.

What makes this different from a normal credential-stealer is that it doesn’t stop at exfiltration. After the initial sweep, it plants persistence. That persistence is what should worry every Claude Code user reading this.

Why this matters: the Claude Code hook angle

This is the first documented case of malware abusing Claude Code’s hook system in the wild. Worth pausing on.

After harvesting credentials, the payload writes the following into any repo it can reach:

The SessionStart hook is the new concern. Claude Code fires SessionStart hooks the moment you open a session in a repo. There’s no tool use, no user prompt, no consent gesture. If you git pull an infected branch and then open Claude Code in that working tree, the malware runs. If your team uses Claude Code as a daily driver and one repo gets contaminated, every session is a re-execution.

The .vscode/tasks.json folderOpen task does the same job for VS Code users. The Formatter.yml workflow does it for CI runners. Three independent triggers, same payload, all firing on routine developer behavior.

The 5-minute audit

These are the exact commands I ran on my Linux box on April 30. They work on any Ubuntu/Debian-derived shell. macOS works with the same commands.

# 1. Check pip for the malicious package
pip list 2>/dev/null | grep -i lightning
# Repeat in each venv. The malicious version is the standalone `lightning`
# package at 2.6.2 or 2.6.3.

# 2. Find lightning package directories on disk
find ~ -name "lightning" -type d 2>/dev/null | head -20
find ~ -name "_runtime" -type d 2>/dev/null

# 3. Look for IOC files anywhere on disk
find ~ -path "*/.claude/router_runtime.js" 2>/dev/null
find ~ -path "*/.claude/setup.mjs" 2>/dev/null
find ~ -path "*/.vscode/setup.mjs" 2>/dev/null

# 4. Inspect Claude Code settings for unexpected hooks
cat ~/.claude/settings.json 2>/dev/null
find ~/Desktop -name ".claude" -type d 2>/dev/null

# 5. Check for the malicious GitHub Actions workflow
find ~ -name "Formatter.yml" -path "*/.github/workflows/*" 2>/dev/null

Clean output for steps 3, 4 (workflow check), and 5 means you don’t have IOC files. Step 1 should return either nothing or a lightning row at a version other than 2.6.2 or 2.6.3. Step 2 will return real lightning package paths if you have it installed. Read those paths carefully.

Run twice if you have multiple Python environments. I have four venvs on Miu and ran step 1 inside each one before signing off.

False positive heads-up

If you have PyTorch installed, step 2 will surface torch/ao/pruning/_experimental/data_sparsifier/lightning. That’s a directory inside the torch package itself, not the standalone lightning PyPI package. I caught this on my first pass and almost panicked. The malicious package is at the top level of site-packages/, like site-packages/lightning/ or site-packages/lightning-2.6.2.dist-info/. Anything deep inside torch/ is unrelated.

The fast tell: find ~ -name "_runtime" -type d returns nothing if you’re clean. The torch internal directory has no _runtime subfolder.

If you find IOCs

Don’t open Claude Code in the affected repo. The hook fires on session start, and that gives the attacker fresh execution every time. Same for VS Code and the folderOpen task.

Rotate immediately. Anything the payload can see is gone. Treat the following as compromised: GitHub personal access tokens, GitHub Actions secrets across any org you’ve authenticated to, HuggingFace tokens (HF_TOKEN), AWS access keys, Azure credentials, GCP service account keys, npm tokens, any .env file contents on disk.

Quarantine the venv. Rename it rather than deleting it: mv .venv .venv.compromised. The directory is forensic evidence. If you have time, archive a copy off the machine before further work.

Audit your git log. Look at commits to .claude/, .vscode/, and .github/workflows/ paths in any repo where the malicious package touched the working tree. If those paths have unexpected commits, the attacker had write access to the repo or to your GitHub credentials.

If you run any GitHub Actions workflows that use those credentials, assume artifact downloads have been published. Revoke any deploy keys, rotate any environment secrets, and check the artifact history for format-results uploads.

Hygiene going forward

Pin lightning to <2.6.2 in any requirements.txt or pyproject.toml you control until 2.6.4+ ships clean. Don’t pip install lightning for new work this week. Watch the PyTorch Lightning GitHub releases page for the all-clear version.

Run pip-audit or safety against your existing requirements files. Both will flag known-bad versions once advisories propagate. If you don’t have either of these in CI, this is the week to add one.

For new packages you don’t recognize, pip install --dry-run shows the dependency graph before anything touches disk. It won’t catch a poisoned dependency the first time, but it will surface unexpected transitive pulls.

The longer-term picture is that Claude Code hooks, VS Code tasks, and GitHub Actions all run developer code automatically. Local-AI work pulls in a deep Python dep tree. The attack surface is large and this won’t be the last attack of this shape.

If you want the broader context on AI-tooling supply-chain risk, our OpenClaw ClawHub security alert covers a parallel campaign across the OpenClaw skills registry, and the March 2026 OpenClaw security report documents the full-registry audit findings. The threat models rhyme.

Run the audit

If you’ve installed lightning at any point in 2026 and you can’t remember which venvs are touched, run the five steps above before you open Claude Code today. The audit takes longer to read about than to run.

If you find anything, post in the Semgrep advisory comments so the picture stays current. My run was clean. The next person’s might not be.