PromptMink npm campaign and malicious lightning releases hit developer supply chains
ReversingLabs disclosed a long-running npm supply chain campaign dubbed PromptMink that inserted malicious dependencies into software projects, including the open-source crypto trading agent openpaw-graveyard. In one highlighted case, a commit co-authored by Anthropic’s Claude Opus added @solana-launchpad/sdk, which pulled in the malicious @validate-sdk/v2 payload. Researchers said the operation has run for more than seven months across over 60 malicious packages and 300 versions, using benign-looking first-stage packages to hide disposable second-stage malware. The payloads stole credentials, sensitive files, cryptocurrency-related data, and in some Linux cases installed attacker SSH keys for persistence; later Rust variants also exfiltrated full project directories and source code. ReversingLabs linked the activity to Famous Chollima, a North Korea-linked group associated with Contagious Interview.
Separately, Socket reported that the widely used PyPI package lightning was compromised in versions 2.6.2 and 2.6.3, while 2.6.1 remained clean. The malicious releases reportedly executed on import, unpacked a hidden _runtime directory, downloaded Bun from GitHub, and launched an obfuscated JavaScript payload aimed at stealing GitHub, npm, and cloud credentials, abusing GitHub APIs, poisoning repositories, and infecting developer npm package tarballs. Because lightning is heavily used in developer workstations, CI/CD pipelines, and cloud build environments, researchers warned that any system that installed and imported the affected versions should be treated as compromised, with exposed credentials rotated and repositories and build systems investigated for follow-on abuse.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Semgrep links lightning malware to Mini Shai-Hulud campaign
On April 30, 2026, Semgrep assessed that the malicious lightning 2.6.2 and 2.6.3 packages were linked to the earlier Mini Shai-Hulud operation based on matching Dune-themed indicators and the commit-message prefix "EveryBoiWeBuildIsAWormyBoi." The report also detailed cross-ecosystem spread via stolen npm credentials, multiple exfiltration channels, and persistence mechanisms including Claude Code hooks, VS Code tasks, and a malicious GitHub Actions workflow.
ReversingLabs discloses PromptMink and links it to Famous Chollima
On April 30, 2026, ReversingLabs disclosed the PromptMink campaign, describing malware that steals credentials, cryptocurrency data, sensitive files, and in some Linux cases installs an attacker SSH key for persistence. The researchers linked the activity to Famous Chollima, a North Korea-linked threat group associated with Contagious Interview.
PyPI quarantines lightning project after malicious releases detected
After Socket detected the malicious lightning 2.6.2 and 2.6.3 releases within minutes of publication on April 30, 2026, PyPI administrators reportedly quarantined the project. This was a platform-level containment action following the supply chain compromise.
Socket discloses lightning compromise and urges incident response
On April 30, 2026, Socket publicly disclosed that lightning versions 2.6.2 and 2.6.3 were malicious and warned that environments which installed and imported them should be treated as compromised. The company advised blocking the versions, rotating credentials, and investigating repositories, CI/CD systems, and developer machines.
Signs emerge of compromised Lightning-AI maintainer account
During the lightning package incident, researchers observed that warning issues were rapidly closed and a taunting message was posted from the pl-ghost GitHub account. Socket said this suggested a Lightning-AI maintainer account may have been compromised.
Malicious lightning versions 2.6.2 and 2.6.3 published to PyPI
On April 30, 2026, malicious versions 2.6.2 and 2.6.3 of the widely used lightning PyPI package were published. The releases executed on import and launched a multi-stage malware chain that downloaded Bun and ran an obfuscated JavaScript payload.
Claude-coauthored commit adds malicious dependency to openpaw-graveyard
On February 28, 2026, a commit co-authored by Anthropic's Claude Opus added the seemingly benign @solana-launchpad/sdk package to the open-source crypto trading agent openpaw-graveyard. That package pulled in the malicious @validate-sdk/v2 payload as part of the PromptMink campaign.
Lightning 2.6.1 released as last known clean version
Socket identified PyPI package lightning version 2.6.1, released on January 30, 2026, as clean. Researchers later advised treating it as the last safe baseline before the compromise.
PromptMink npm supply chain campaign begins
ReversingLabs reported that the PromptMink npm supply chain campaign had been active for more than seven months by late April 2026. The activity involved over 60 malicious packages and more than 300 versions using a two-stage package structure to hide malware.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
PyTorch Lightning Poisoned - Mini Shai-Hulud Worm Crosses Into the AI/ML Supply Chain - TheCyberThrone
thecyberthrone.in
Open sourcePopular Python Package lightning Hacked in Supply Chain Attack
cybersecuritynews.com
Open sourceClaude-Generated Commit Adds PromptMink Malware to Crypto Trading Agent
cybersecuritynews.com
Open sourcePromptMink: ReversingLabs discloses 7-month DPRK supply chain campaign using LLM Optimization (LLMO) to target AI coding agents via npm : r/netsec
reddit.com
Open sourceShai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library | Semgrep
semgrep.dev
Open sourcelightning PyPI Package Compromised in Supply Chain Attack - ...
socket.dev
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
npm Supply-Chain Attacks Steal Developer Tokens and Enable Cloud Compromise
Threat actors are using **malicious npm packages** to steal developer credentials and CI/CD secrets, enabling rapid escalation into cloud environments. Google reported that **UNC6426** leveraged keys stolen during the earlier compromise of the *nx* npm ecosystem to pivot from a stolen developer GitHub token into **AWS administrative access within 72 hours**, abusing **GitHub-to-AWS OpenID Connect (OIDC) trust** to create a new admin role. The actor then used that access to **exfiltrate data from AWS S3** and conduct **destructive actions** in production cloud environments; the initial *nx* compromise involved a GitHub Actions `pull_request_target` workflow abuse (“**Pwn Request**”) that enabled publishing trojanized packages containing a `postinstall` chain that executed the **QUIETVAULT** JavaScript credential stealer and uploaded stolen data to a public GitHub repo (`/s1ngularity-repository-1`). Separately, researchers reported new waves of the **PhantomRaven** npm supply-chain campaign distributing **88 additional malicious packages** (via ~50 disposable accounts) that target JavaScript developers by exfiltrating secrets from files like `.gitconfig` and `.npmrc`, environment variables, and CI/CD tokens (e.g., GitHub/GitLab/Jenkins/CircleCI). The campaign uses **slopsquatting** (LLM-suggested lookalike package names) and a stealth technique called **Remote Dynamic Dependencies (RDD)**, where `package.json` pulls a dependency from an external URL so the malicious payload is fetched at install time (`npm install`) and can evade static package inspection; researchers indicated many of these packages remained available in the npm registry at the time of reporting.
Mar 21, 2026
Software Supply Chain Threats Targeting Open-Source Ecosystems and Developer Tooling
Open-source software supply chain risk continued to escalate, with reporting citing **454,600+** newly identified malicious packages across major repositories (including **PyPI, npm, Maven Central, NuGet, and Hugging Face**) and tactics ranging from **credential theft** to **multi-stage attacks** and even early **self-replicating** package malware. The activity reportedly concentrated heavily in **npm**, including high-volume “ecosystem flooding” (e.g., single accounts publishing **150,000+** malicious packages in days) and **hijacking of trusted projects**, exploiting developer reliance on superficial trust signals such as package names, READMEs, and download counts. Separately, researchers disclosed **“PackageGate”** vulnerabilities in JavaScript package managers (**npm, pnpm, vlt, and Bun**) that can bypass common post-incident defenses—namely `--ignore-scripts` and lockfile integrity—enabling malicious code execution via compromised dependencies. Koi Security reported six issues; **pnpm, vlt, and Bun** shipped fixes, while **npm** reportedly treated the behavior as expected. In parallel, threat actors abused **GitHub’s fork architecture** to distribute a spoofed *GitHub Desktop* installer promoted via search ads; execution deployed **HijackLoader** and established persistence via a **scheduled task**, underscoring that supply chain threats extend beyond package registries into developer tooling distribution channels.
Mar 21, 2026
Mini Shai-Hulud Supply-Chain Attack Compromised npm, PyPI, and Composer Packages
Researchers reported that the **Mini Shai-Hulud** campaign compromised widely used developer packages across **npm, PyPI, and Packagist/Composer**, including SAP CAP components, `intercom-client`, `intercom/intercom-php`, and PyTorch Lightning’s `lightning` package. The malicious releases delivered an obfuscated credential stealer executed with the **Bun** runtime, harvesting secrets from developer workstations and CI/CD environments, including GitHub, npm, cloud, Kubernetes, and AI tooling credentials. Stolen data was encrypted and exfiltrated through attacker-created public GitHub repositories, and the campaign was linked by multiple researchers to **TeamPCP**. Reports estimated exposure ranging from more than **1,000** to roughly **1,800 repositories**, with no `CVE`, `GHSA`, or `OSV` identifiers assigned at disclosure. Investigators said the attackers abused software publishing workflows rather than relying solely on direct maintainer compromise, including a stolen npm token tied to SAP’s `cloudmtabot` account, an exposed token in CircleCI pull-request builds, and overly broad GitHub and npm **OIDC trusted publishing** policies. The malware propagated by using stolen npm tokens to publish infected patch versions of additional packages and established persistence through developer tooling by planting `.vscode/tasks.json` entries with `"runOn": "folderOpen"` and `.claude/settings.json` `SessionStart` hooks, a technique compared to the earlier **PolinRider/TasksJacker** tradecraft. Maintainers released cleaned package versions, while defenders were urged to rotate credentials, review GitHub, npm, and cloud activity, harden OIDC publishing rules, pin dependencies, and hunt repositories for unauthorized `folderOpen` tasks and Claude hooks.
May 1, 2026