Feed
CriticalPublished 30 Apr 20263 packages · 5 versions

PyTorch Lightning + intercom-client + intercom-php coordinated push

Summary

Mini Shai-Hulud wave 2: coordinated April 30 release of lightning 2.6.2/2.6.3 (PyPI), intercom-client 7.0.4/7.0.5 (npm), and intercom/intercom-php 5.0.2 (Packagist) carrying the same Bun-based credential stealer used in the SAP/@cap-js wave. ~11.7MB router_runtime.js fires preinstall on npm; a .pth file fires at every Python import on PyPI. Worm propagation via stolen GitHub PATs labelled "OhNoWhatsGoingOnWithGitHub:".

wormcredential-theftmaintainer-takeoverci-cd-compromiseobfuscation
Detected by
Socket · Wiz · Snyk · JFrog · Aikido
Also known as
Mini Shai-Hulud Wave 2
Ecosystems
npmPackagistPyPI
Packages tracked
3

What happened

On 2026-04-30 the Mini Shai-Hulud crew (the same operators behind the SAP / @cap-js April 29 wave) staged a coordinated multi-ecosystem push: lightning 2.6.2 and 2.6.3 landed on PyPI, intercom-client 7.0.4 and 7.0.5 on npm, and intercom/intercom-php 5.0.2 on Packagist — all within a tight window and all carrying the same Bun-based credential stealer.

The npm side wires execution through a preinstall hook that pulls router_runtime.js — an ~11.7MB obfuscated bundle — and runs it under Bun. The PyPI side bypasses install hooks entirely: a .pth file dropped into site-packages re-executes the stealer on every Python interpreter start, so pip install --no-build-isolation and similar flags do NOT mitigate. The Packagist variant uses Composer plugin hooks fired on composer install and composer update.

The payload scrapes AWS, GCP, and Azure metadata endpoints at install/import time, harvests GitHub PATs, npm tokens, and SSH keys, and uses stolen tokens to publish further poisoned versions of any package the victim could push to — the classic worm propagation step. Compromised hosts also create signal repos on GitHub with the description A Mini Shai-Hulud has Appeared, and stolen tokens are catalogued under the label OhNoWhatsGoingOnWithGitHub:.

  • npm IOC: router_runtime.js, setup.mjs, and _runtime/ directories inside node_modules
  • PyPI IOC: a lightning.pth (or similarly named) file dropped in site-packages
  • Packagist IOC: unexpected Composer plugin hooks firing on install/update

Vendor coverage split the campaign across multiple posts: Wiz originally folded lightning into the TanStack analysis, but Socket, Snyk, JFrog, and Aikido independently confirmed it as a separate April 30 wave with its own publish timing distinct from the May 11 TanStack burst.

Affected packages (3)

  • npmintercom-client
    7.0.47.0.5
  • Packagistintercom/intercom-php
    5.0.2
  • PyPIlightning
    2.6.22.6.3

Impact

  • AWS/GCP/Azure cloud metadata harvesting at install/import time
  • GitHub PAT, npm token, SSH key theft
  • Self-propagation: stolen tokens used to publish poisoned versions of any package the victim could push to
  • Composer plugin hooks on the Packagist side trigger on composer install / update

What to do

  1. 1Pin lightning ≤ 2.6.1 (PyPI), intercom-client ≤ 7.0.3 (npm), intercom/intercom-php ≤ 5.0.1 (Packagist)
  2. 2Rotate GitHub PATs, npm tokens, cloud credentials, and SSH keys on any host that installed during the window
  3. 3Search GitHub for repos created with description "A Mini Shai-Hulud has Appeared"
  4. 4Hunt for router_runtime.js, setup.mjs, and _runtime/ directories in node_modules and site-packages

References

multi-2026-04-30-mini-shai-hulud-wave2