VDB

GCVE-110-OSM-2026-3445

GCVE-110-OSM-2026-3445
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 30, 2026
TeamPCP has compromised the lightning PyPI package and it now installs bun and a malicious payload. This is part of the "mini Shai-Hulud" campaign. The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload. The execution chain runs automatically when the lightning module is imported, requiring no additional user action after installation and import. Characteristics: start.py, which downloads and executes Bun, a JavaScript runtime, from GitHub router_runtime.js, an 11 MB obfuscated malicious payload Automatic execution on module import through a daemon thread with suppressed output Credential theft and exfiltration patterns targeting tokens, authentication material, repositories, environment variables, and cloud-related secrets GitHub API abuse designed to commit encoded data to repositories using stolen tokens Capability to infect developer NPM package tarballs IOCs: Files router_runtime.js SHA256 5f5852b5f604369945118937b058e49064612ac69826e0adadca39a357dfb5b1 SHA1 f1b3e7b3eec3294c4d6b5f87854a52471f03997f MD5 40d0f21b64ec8fb3a7a1959897252e09 Files Planted in Victim Repositories .claude/router_runtime.js Network AWS IMDS hxxp://169[.]254[.]169[.]254 AWS ECS credential endpoint hxxp://169[.]254[.]170[.]2

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownlightning2.6.2-2.6.3 (affected)

References

vendor

Browse GCVE Records

73,118 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›