Listen to this Post

Introduction:
A sophisticated adversary has just compromised two of the most popular software packages across Python and Node.js ecosystems: `lightning` (2.6.2/2.6.3) on PyPI and `intercom-client` (7.0.4) on npm. Both attacks deploy an ~11MB obfuscated JavaScript file that harvests GitHub tokens, npm tokens, AWS/Azure/GCP credentials, Kubernetes secrets, Vault tokens, and CI/CD environment variables – then exfiltrates everything via the GitHub API while impersonating Anthropic’s Code.
Learning Objectives:
- Identify and mitigate live supply chain compromises in PyPI and npm packages
- Audit infected repositories for unauthorized commits, hidden backdoors, and credential theft
- Implement defense-in-depth strategies against worm‑like propagation and maintainer account takeovers
You Should Know:
1. Immediate Detection & Removal of Malicious Packages
Both attacks inject identical payloads: a setup script downloads and executes the Bun runtime from GitHub, then runs an obfuscated router_runtime.js. The `lightning` package triggers on import; `intercom-client` executes during install.
Step‑by‑step guide to detect and remove:
Linux / macOS:
Check currently installed versions pip show lightning | grep Version npm list intercom-client Remove malicious versions pip uninstall lightning -y npm uninstall intercom-client Force clean install of safe versions pip install lightning==2.6.1 npm install [email protected] Verify no residual files find ~/.cache/pip -name "lightning" -exec rm -rf {} \; find . -name "router_runtime.js" -delete
Windows (PowerShell as Admin):
pip show lightning | Select-String "Version" npm list intercom-client pip uninstall lightning -y npm uninstall intercom-client pip install lightning==2.6.1 npm install [email protected] Get-ChildItem -Path . -Filter "router_runtime.js" -Recurse | Remove-Item -Force
2. Credential Rotation & Environment Hardening
The malware harvests environment variables, cloud tokens, and CI/CD secrets. Assume all credentials on any system that ran the malicious packages are compromised.
Step‑by‑step rotation commands:
GitHub token revocation:
List existing tokens (Linux/macOS) gh auth status gh auth token Revoke all personal access tokens via CLI gh auth refresh --scopes delete_repo Or use GitHub API curl -X DELETE -H "Authorization: token YOUR_TOKEN" \ https://api.github.com/authorizations/YOUR_TOKEN_ID
AWS credential rotation:
List and deactivate exposed access keys aws iam list-access-keys --user-name YOUR_USER aws iam update-access-key --access-key-id EXPOSED_KEY --status Inactive aws iam create-access-key --user-name YOUR_USER Rotate environment variables unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
Kubernetes secrets regeneration:
Delete and recreate secrets kubectl delete secret vulnerable-secret kubectl create secret generic new-secret --from-literal=key=new-value Rotate all service account tokens kubectl rollout restart deployment --all
3. Repository Forensics: Detecting Unauthorized Commits
Attackers used stolen tokens to commit poisoned files to every branch, impersonating @users.noreply.github.com. They also created misspelled Dependabot branches.
Audit commands (Linux/macOS):
Find commits by the fake account
git log --author="@users.noreply.github.com" --oneline --all
List suspicious branches with "dependabot" misspellings
git branch -a | grep -i dependabot | grep -v "^remotes/origin/dependabot"
Check for hidden directories
find . -type d ( -name "." -o -name ".vscode" ) -exec ls -la {} \;
Scan for postinstall hooks in npm packages
grep -r "postinstall" package.json node_modules//package.json
Windows PowerShell:
git log --author="@users.noreply.github.com" --oneline --all
git branch -a | Select-String "dependabot" | Where-Object {$_ -notmatch "origin/dependabot"}
Get-ChildItem -Hidden -Directory -Include ".",".vscode" -Recurse
Select-String -Path package.json, node_modules\package.json -Pattern "postinstall"
4. Blocking Exfiltration via GitHub API
The malware exfiltrates stolen credentials through the GitHub API. Implement network and API controls to stop data leakage.
Step‑by‑step API hardening:
Create a GitHub API allowlist (Enterprise only):
.github/settings.yml api_ip_allow_list: enabled: true ip_allow_list: - 192.168.1.0/24 Your CI/CD runners - 203.0.113.0/24 Corporate VPN
Detect abnormal API calls in real‑time:
Monitor GitHub API logs for large payloads (Linux)
tail -f /var/log/github_audit.log | grep -E "POST|PATCH" | \
awk '{if($NF > 11000000) print "Large exfil detected: " $0}'
Use a firewall to rate‑limit outbound API traffic:
iptables rule to cap GitHub API connections iptables -A OUTPUT -d api.github.com -m limit --limit 10/minute --limit-burst 20 -j ACCEPT iptables -A OUTPUT -d api.github.com -j DROP
5. Supply Chain Hardening Against Maintainer Takeover
This attack succeeded via compromised maintainer accounts. Traditional dependency pinning fails when the maintainer is malicious.
Implement npm and PyPI verified publishing:
npm (publish with provenance):
Enable two‑factor authentication for npm publish npm profile enable-2fa auth-and-writes Publish with provenance (requires npm 9.5+) npm publish --provenance --access public Verify package integrity before install npm audit signatures
PyPI (using Trusted Publishers):
Generate an OIDC token for GitHub Actions In your repo: Settings → Secrets and variables → Actions → Add repository secret Name: PYPI_TOKEN, Value: (from pypi.org/manage/account/token) .github/workflows/publish.yml name: Publish to PyPI on: push jobs: deploy: runs-on: ubuntu-latest permissions: id-token: write steps: - uses: actions/checkout@v4 - uses: pypa/gh-action-pypi-publish@release/v1 with: attestations: true Enables sigstore signing
6. Behavioral Detection of the Shai‑Hulud Worm Pattern
The attacker campaign uses consistent fingerprints: Bun runtime execution, obfuscated JavaScript, and credential probing with misspelled branch names.
Create a detection script (Linux bash):
!/bin/bash
shai_hulud_detector.sh
echo "[] Scanning for Shai-Hulud indicators"
Detect Bun runtime
if pgrep -f "bun run" > /dev/null; then
echo "[!] Bun runtime detected - potential malware"
ps aux | grep -E "bun|router_runtime"
fi
Find obfuscated JS >10MB
find / -name ".js" -size +10M -exec ls -lh {} \; 2>/dev/null
Check for unauthorized env variable exfil
lsof -i -P -n | grep "api.github.com" | while read line; do
pid=$(echo $line | awk '{print $2}')
cat /proc/$pid/environ | tr '\0' '\n' | grep -E "TOKEN|SECRET|KEY"
done
Windows event monitor (PowerShell):
Monitor processes for Bun download
$bunPaths = @("bun.exe", "bunx.cmd", "router_runtime.js")
while($true) {
Get-Process | Where-Object {$<em>.ProcessName -match "bun|node"} | ForEach-Object {
$modules = Get-Process -Id $</em>.Id -Module
if($modules.FileName -match "router_runtime") {
Write-Warning "Malicious JS loaded in PID $($<em>.Id)"
Stop-Process -Id $</em>.Id -Force
}
}
Start-Sleep -Seconds 5
}
What Undercode Say:
- Key Takeaway 1: Maintainer account compromise is the new zero‑day – no amount of SBOM or pinning protects you when the publisher goes rogue. Rotate ALL credentials and enforce hardware‑based 2FA (WebAuthn) on every maintainer account.
- Key Takeaway 2: Worm‑style propagation across ecosystems (PyPI → npm → GitHub repos) proves that cross‑language supply chain attacks are now operational reality. You need runtime behavioral detection of obfuscated script execution and outbound API data exfiltration.
-
Analysis: This attack bypasses traditional SAST/DAST because the malicious code is hidden inside an 11MB obfuscated file downloaded post‑install. The attackers didn’t just inject a simple backdoor – they built a credential‑harvesting worm that actively poisons upstream repos. The speed of disclosure suppression (1 minute on Lightning‑AI) indicates attackers had full control of notification systems. The use of Bun (a fast JavaScript runtime) instead of Node.js evades typical process monitoring. Most alarming: the infrastructure reuses the same payload across languages, suggesting a modular, reusable attack framework. Defenders must now assume that any package maintainer could be compromised at any time. Immediate credential rotation and isolated rebuilds are the only safe responses.
Prediction:
Within 12 months, we will see the first “supply chain worm” that autonomously moves from a compromised npm package to PyPI, then to RubyGems, and finally into container registries – all without human interaction. Attackers will weaponize GitHub Actions secrets to auto‑create malicious pull requests in thousands of dependent repos simultaneously. The industry will be forced to adopt mandatory attestations (Sigstore) and runtime sandboxing for package installation scripts. Regulatory bodies (CISA, ENISA) will issue emergency directives requiring all open‑source maintainers to use hardware security keys and remote attestation before publishing. Companies that rely on third‑party packages will start running all dependency installations inside disposable, network‑isolated containers with zero outbound API access by default.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


