Claude Code’s hook system just got weaponised

The Lightning PyPI compromise published on 30 April is being written up as another Shai-Hulud variant, which it is. Versions 2.6.2 and 2.6.3 of the lightning package shipped with a hidden _runtime directory, a 14.8 MB obfuscated JavaScript payload, and the usual exfiltration to AWS, Azure, GCP, GitHub Actions secrets, and any environment variable it could reach. Andy from Lightning has confirmed on Hacker News that the PyPI credentials were stolen via a compromised pl-ghost bot account, not a malicious PR. The GitHub source was clean. PyPI was the entry point. That part of the story is well-covered by Semgrep and Socket. What is not being talked about enough is that this appears to be the first documented instance of malware abusing Claude Code’s hook system in the wild. What the worm does to your repo Once the payload runs on a developer machine or CI runner, it plants persistence hooks in two places. The VS Code one is familiar territory, a .vscode/tasks.json with runOn: folderOpen…