MAL-2026-3201

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/lightning/MAL-2026-3201.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3201

Published

2026-04-30T16:53:41Z

Modified

2026-06-08T19:30:50.126139383Z

Summary

Malicious code in lightning (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (703ac419d775488be137d7e01517d768da0b5581ab63338fb9523f2289f2b92c)

Versions 2.6.2, 2.6.3 were compromised.

Compromised versions contain injected code that starts automatically during importing the module, downloads (legitimate) JavaScript runtime, and executes included JavaScript infostealer. It collects credentials from multiple sources (e.g. files, process memory, cloud metadata endpoints, CLI commands like gh or gcloud), sensitive cryptocurrency data, shell history files. It also attempts to spread itself using discovered credentials to other repositories and packages.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-04-compr-lightning

Reasons (based on the campaign):

infostealer
files-exfiltration
exfiltration-ssh-keys
exfiltration-crypto
exfiltration-credentials
compromised-package

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "pypi/2026-04-compr-lightning/lightning",
            "import_time": "2026-04-30T17:01:25.03549765Z",
            "versions": [
                "2.6.2",
                "2.6.3"
            ],
            "source": "kam193",
            "sha256": "703ac419d775488be137d7e01517d768da0b5581ab63338fb9523f2289f2b92c",
            "modified_time": "2026-04-30T16:53:41Z"
        },
        {
            "id": "pypi/2026-04-compr-lightning/lightning",
            "import_time": "2026-04-30T18:35:47.62757048Z",
            "versions": [
                "2.6.2",
                "2.6.3"
            ],
            "source": "kam193",
            "modified_time": "2026-04-30T16:53:41Z",
            "sha256": "21d1958db35f91cdd9e4daf8466ded080429f05ef2f989a858bef41af4d220b1"
        },
        {
            "id": "pypi/2026-04-compr-lightning/lightning",
            "import_time": "2026-06-08T19:19:19.167899846Z",
            "versions": [
                "2.6.2",
                "2.6.3"
            ],
            "source": "kam193",
            "modified_time": "2026-04-30T16:54:11Z",
            "sha256": "ed90aeeb51f0c9480d8f0590f5c035de65bd67722be97987087abbca61e5a21f"
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193) - ANALYST
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / lightning

Package

Name: lightning; View open source insights on deps.dev
Purl: pkg:pypi/lightning

Affected ranges

Affected versions

2.*

2.6.2

2.6.3

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/lightning/MAL-2026-3201.json"