PyTorch Lightning + intercom-client + intercom-php coordinated push
Mini Shai-Hulud wave 2: coordinated April 30 release of lightning 2.6.2/2.6.3 (PyPI), intercom-client 7.0.4/7.0.5 (npm), and intercom/intercom-php 5.0.2 (Packagist) carrying the same Bun-based credential stealer used in the SAP/@cap-js wave. ~11.7MB router_runtime.js fires preinstall on npm; a .pth file fires at every Python import on PyPI. Worm propagation via stolen GitHub PATs labelled "OhNoWhatsGoingOnWithGitHub:".
- Detected by
- Socket · Wiz · Snyk · JFrog · Aikido
- Also known as
- Mini Shai-Hulud Wave 2
- Ecosystems
- npmPackagistPyPI
- Packages tracked
- 3
What happened
On 2026-04-30 the Mini Shai-Hulud crew (the same operators behind the SAP / @cap-js April 29 wave) staged a coordinated multi-ecosystem push: lightning 2.6.2 and 2.6.3 landed on PyPI, intercom-client 7.0.4 and 7.0.5 on npm, and intercom/intercom-php 5.0.2 on Packagist — all within a tight window and all carrying the same Bun-based credential stealer.
The npm side wires execution through a preinstall hook that pulls router_runtime.js — an ~11.7MB obfuscated bundle — and runs it under Bun. The PyPI side bypasses install hooks entirely: a .pth file dropped into site-packages re-executes the stealer on every Python interpreter start, so pip install --no-build-isolation and similar flags do NOT mitigate. The Packagist variant uses Composer plugin hooks fired on composer install and composer update.
The payload scrapes AWS, GCP, and Azure metadata endpoints at install/import time, harvests GitHub PATs, npm tokens, and SSH keys, and uses stolen tokens to publish further poisoned versions of any package the victim could push to — the classic worm propagation step. Compromised hosts also create signal repos on GitHub with the description A Mini Shai-Hulud has Appeared, and stolen tokens are catalogued under the label OhNoWhatsGoingOnWithGitHub:.
- npm IOC:
router_runtime.js,setup.mjs, and_runtime/directories insidenode_modules - PyPI IOC: a
lightning.pth(or similarly named) file dropped insite-packages - Packagist IOC: unexpected Composer plugin hooks firing on install/update
Vendor coverage split the campaign across multiple posts: Wiz originally folded lightning into the TanStack analysis, but Socket, Snyk, JFrog, and Aikido independently confirmed it as a separate April 30 wave with its own publish timing distinct from the May 11 TanStack burst.
Affected packages (3)
- npm
intercom-client7.0.47.0.5 - Packagist
intercom/intercom-php5.0.2 - PyPI
lightning2.6.22.6.3
Impact
- AWS/GCP/Azure cloud metadata harvesting at install/import time
- GitHub PAT, npm token, SSH key theft
- Self-propagation: stolen tokens used to publish poisoned versions of any package the victim could push to
- Composer plugin hooks on the Packagist side trigger on
composer install/update
What to do
- 1Pin lightning ≤ 2.6.1 (PyPI), intercom-client ≤ 7.0.3 (npm), intercom/intercom-php ≤ 5.0.1 (Packagist)
- 2Rotate GitHub PATs, npm tokens, cloud credentials, and SSH keys on any host that installed during the window
- 3Search GitHub for repos created with description "A Mini Shai-Hulud has Appeared"
- 4Hunt for
router_runtime.js,setup.mjs, and_runtime/directories in node_modules and site-packages