ALERT: Two Major Supply Chain Attacks Hit PyPI & npm Simultaneously – Your Credentials Are at Risk! + Video

Listen to this Post

Featured Image

Introduction:

A sophisticated adversary has just compromised two of the most popular software packages across Python and Node.js ecosystems: `lightning` (2.6.2/2.6.3) on PyPI and `intercom-client` (7.0.4) on npm. Both attacks deploy an ~11MB obfuscated JavaScript file that harvests GitHub tokens, npm tokens, AWS/Azure/GCP credentials, Kubernetes secrets, Vault tokens, and CI/CD environment variables – then exfiltrates everything via the GitHub API while impersonating Anthropic’s Code.

Learning Objectives:

  • Identify and mitigate live supply chain compromises in PyPI and npm packages
  • Audit infected repositories for unauthorized commits, hidden backdoors, and credential theft
  • Implement defense-in-depth strategies against worm‑like propagation and maintainer account takeovers

You Should Know:

1. Immediate Detection & Removal of Malicious Packages

Both attacks inject identical payloads: a setup script downloads and executes the Bun runtime from GitHub, then runs an obfuscated router_runtime.js. The `lightning` package triggers on import; `intercom-client` executes during install.

Step‑by‑step guide to detect and remove:

Linux / macOS:

 Check currently installed versions
pip show lightning | grep Version
npm list intercom-client

Remove malicious versions
pip uninstall lightning -y
npm uninstall intercom-client

Force clean install of safe versions
pip install lightning==2.6.1
npm install [email protected]

Verify no residual files
find ~/.cache/pip -name "lightning" -exec rm -rf {} \;
find . -name "router_runtime.js" -delete

Windows (PowerShell as Admin):

pip show lightning | Select-String "Version"
npm list intercom-client
pip uninstall lightning -y
npm uninstall intercom-client
pip install lightning==2.6.1
npm install [email protected]
Get-ChildItem -Path . -Filter "router_runtime.js" -Recurse | Remove-Item -Force

2. Credential Rotation & Environment Hardening

The malware harvests environment variables, cloud tokens, and CI/CD secrets. Assume all credentials on any system that ran the malicious packages are compromised.

Step‑by‑step rotation commands:

GitHub token revocation:

 List existing tokens (Linux/macOS)
gh auth status
gh auth token

Revoke all personal access tokens via CLI
gh auth refresh --scopes delete_repo

Or use GitHub API
curl -X DELETE -H "Authorization: token YOUR_TOKEN" \
https://api.github.com/authorizations/YOUR_TOKEN_ID

AWS credential rotation:

 List and deactivate exposed access keys
aws iam list-access-keys --user-name YOUR_USER
aws iam update-access-key --access-key-id EXPOSED_KEY --status Inactive
aws iam create-access-key --user-name YOUR_USER

Rotate environment variables
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN

Kubernetes secrets regeneration:

 Delete and recreate secrets
kubectl delete secret vulnerable-secret
kubectl create secret generic new-secret --from-literal=key=new-value

Rotate all service account tokens
kubectl rollout restart deployment --all

3. Repository Forensics: Detecting Unauthorized Commits

Attackers used stolen tokens to commit poisoned files to every branch, impersonating @users.noreply.github.com. They also created misspelled Dependabot branches.

Audit commands (Linux/macOS):

 Find commits by the fake account
git log --author="@users.noreply.github.com" --oneline --all

List suspicious branches with "dependabot" misspellings
git branch -a | grep -i dependabot | grep -v "^remotes/origin/dependabot"

Check for hidden directories
find . -type d ( -name "." -o -name ".vscode" ) -exec ls -la {} \;

Scan for postinstall hooks in npm packages
grep -r "postinstall" package.json node_modules//package.json

Windows PowerShell:

git log --author="@users.noreply.github.com" --oneline --all
git branch -a | Select-String "dependabot" | Where-Object {$_ -notmatch "origin/dependabot"}
Get-ChildItem -Hidden -Directory -Include ".",".vscode" -Recurse
Select-String -Path package.json, node_modules\package.json -Pattern "postinstall"

4. Blocking Exfiltration via GitHub API

The malware exfiltrates stolen credentials through the GitHub API. Implement network and API controls to stop data leakage.

Step‑by‑step API hardening:

Create a GitHub API allowlist (Enterprise only):

 .github/settings.yml
api_ip_allow_list:
enabled: true
ip_allow_list:
- 192.168.1.0/24  Your CI/CD runners
- 203.0.113.0/24  Corporate VPN

Detect abnormal API calls in real‑time:

 Monitor GitHub API logs for large payloads (Linux)
tail -f /var/log/github_audit.log | grep -E "POST|PATCH" | \
awk '{if($NF > 11000000) print "Large exfil detected: " $0}'

Use a firewall to rate‑limit outbound API traffic:

 iptables rule to cap GitHub API connections
iptables -A OUTPUT -d api.github.com -m limit --limit 10/minute --limit-burst 20 -j ACCEPT
iptables -A OUTPUT -d api.github.com -j DROP

5. Supply Chain Hardening Against Maintainer Takeover

This attack succeeded via compromised maintainer accounts. Traditional dependency pinning fails when the maintainer is malicious.

Implement npm and PyPI verified publishing:

npm (publish with provenance):

 Enable two‑factor authentication for npm publish
npm profile enable-2fa auth-and-writes

Publish with provenance (requires npm 9.5+)
npm publish --provenance --access public

Verify package integrity before install
npm audit signatures

PyPI (using Trusted Publishers):

 Generate an OIDC token for GitHub Actions
 In your repo: Settings → Secrets and variables → Actions → Add repository secret
 Name: PYPI_TOKEN, Value: (from pypi.org/manage/account/token)

.github/workflows/publish.yml
name: Publish to PyPI
on: push
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- uses: actions/checkout@v4
- uses: pypa/gh-action-pypi-publish@release/v1
with:
attestations: true  Enables sigstore signing

6. Behavioral Detection of the Shai‑Hulud Worm Pattern

The attacker campaign uses consistent fingerprints: Bun runtime execution, obfuscated JavaScript, and credential probing with misspelled branch names.

Create a detection script (Linux bash):

!/bin/bash
 shai_hulud_detector.sh
echo "[] Scanning for Shai-Hulud indicators"

Detect Bun runtime
if pgrep -f "bun run" > /dev/null; then
echo "[!] Bun runtime detected - potential malware"
ps aux | grep -E "bun|router_runtime"
fi

Find obfuscated JS >10MB
find / -name ".js" -size +10M -exec ls -lh {} \; 2>/dev/null

Check for unauthorized env variable exfil
lsof -i -P -n | grep "api.github.com" | while read line; do
pid=$(echo $line | awk '{print $2}')
cat /proc/$pid/environ | tr '\0' '\n' | grep -E "TOKEN|SECRET|KEY"
done

Windows event monitor (PowerShell):

 Monitor processes for Bun download
$bunPaths = @("bun.exe", "bunx.cmd", "router_runtime.js")
while($true) {
Get-Process | Where-Object {$<em>.ProcessName -match "bun|node"} | ForEach-Object {
$modules = Get-Process -Id $</em>.Id -Module
if($modules.FileName -match "router_runtime") {
Write-Warning "Malicious JS loaded in PID $($<em>.Id)"
Stop-Process -Id $</em>.Id -Force
}
}
Start-Sleep -Seconds 5
}

What Undercode Say:

  • Key Takeaway 1: Maintainer account compromise is the new zero‑day – no amount of SBOM or pinning protects you when the publisher goes rogue. Rotate ALL credentials and enforce hardware‑based 2FA (WebAuthn) on every maintainer account.
  • Key Takeaway 2: Worm‑style propagation across ecosystems (PyPI → npm → GitHub repos) proves that cross‑language supply chain attacks are now operational reality. You need runtime behavioral detection of obfuscated script execution and outbound API data exfiltration.

  • Analysis: This attack bypasses traditional SAST/DAST because the malicious code is hidden inside an 11MB obfuscated file downloaded post‑install. The attackers didn’t just inject a simple backdoor – they built a credential‑harvesting worm that actively poisons upstream repos. The speed of disclosure suppression (1 minute on Lightning‑AI) indicates attackers had full control of notification systems. The use of Bun (a fast JavaScript runtime) instead of Node.js evades typical process monitoring. Most alarming: the infrastructure reuses the same payload across languages, suggesting a modular, reusable attack framework. Defenders must now assume that any package maintainer could be compromised at any time. Immediate credential rotation and isolated rebuilds are the only safe responses.

Prediction:

Within 12 months, we will see the first “supply chain worm” that autonomously moves from a compromised npm package to PyPI, then to RubyGems, and finally into container registries – all without human interaction. Attackers will weaponize GitHub Actions secrets to auto‑create malicious pull requests in thousands of dependent repos simultaneously. The industry will be forced to adopt mandatory attestations (Sigstore) and runtime sandboxing for package installation scripts. Regulatory bodies (CISA, ENISA) will issue emergency directives requiring all open‑source maintainers to use hardware security keys and remote attestation before publishing. Companies that rely on third‑party packages will start running all dependency installations inside disposable, network‑isolated containers with zero outbound API access by default.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky