Versions 2.6.2, 2.6.3 were compromised.

Compromised versions contain injected code that starts automatically during importing the module, downloads (legitimate) JavaScript runtime, and executes included JavaScript infostealer. It collects credentials from multiple sources (e.g. files, process memory, cloud metadata endpoints, CLI commands like gh or gcloud), sensitive cryptocurrency data, shell history files. It also attempts to spread itself using discovered credentials to other repositories and packages.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-04-compr-lightning

Reasons (based on the campaign):

• infostealer

• files-exfiltration

• exfiltration-ssh-keys

• exfiltration-crypto

• exfiltration-credentials

• compromised-package