{
  "title": "Lightning PyPI Bun-Based Credential Stealer",
  "summary": "On April 30, 2026, malicious `lightning` PyPI releases 2.6.2 and 2.6.3 shipped an import-time loader that bootstrapped Bun and executed a large obfuscated JavaScript credential stealer.",
  "date": "2026-04-30",
  "severity": "critical",
  "tags": [
    "pypi",
    "package-compromise",
    "supply-chain",
    "credential-theft",
    "shai-hulud"
  ],
  "sources_count": 4,
  "indicators": {
    "slug": "lightning-pypi-bun-stealer",
    "since": "2026-01-30T00:00:00Z",
    "until": "2026-05-01T00:00:00Z",
    "ecosystem": "pypi, python pypi",
    "cves": [
      "CVE-2026-44484"
    ],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [
      "lightning"
    ],
    "versions": [
      "2.6.2",
      "2.6.3",
      "lightning==2.6.2",
      "lightning==2.6.3"
    ],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [
      "setup.mjs",
      "router_runtime.js",
      "Bun launcher"
    ],
    "paths": [],
    "services": [],
    "domains": [],
    "urls": [],
    "ips": [],
    "hashes": [],
    "processPatterns": [
      "Python import-time loader starts Bun and obfuscated JavaScript"
    ],
    "networkPatterns": [
      "egress related to malicious lightning PyPI releases"
    ],
    "telemetrySelectors": []
  }
}