Malicious Lightning Package on PyPI Delivers Credential-Stealing Payload via Bun Runtime

A malicious release of the lightning package on PyPI (Python Package Index) was identified, containing a credential-stealing payload delivered via Bun, a JavaScript runtime. The payload executes automatically upon package import, targeting sensitive user data. The attack pattern shares similarities with the Mini Shai-Hulud npm campaign detected one day prior. Snyk issued a live advisory detailing the compromise, including affected components and recommended credential rotation. No specific CVE ID, victim count, or exact date of discovery was provided in the notice. The impact involves unauthorized access to stored credentials on compromised systems.