PyTorch Lightning 2.6.2 Drops Self-Spreading Credential Stealer
Threat actors hijacked the PyPI credentials for PyTorch Lightning to publish two malicious versions containing a self-propagating credential stealer.
On April 30, 2026, threat actors hijacked the PyPI publishing credentials for the PyTorch Lightning framework, releasing a self-propagating credential stealer embedded in versions 2.6.2 and 2.6.3. The supply-chain attack compromised the lightning package, which averages over 11 million monthly downloads, for 42 minutes before PyPI administrators quarantined the releases. Microsoft Defender telemetry indicates the impact was contained to a small number of specific developer environments.
Payload Execution Chain
Unlike typical supply-chain attacks that execute during the installation phase, this malware runs automatically upon invoking import lightning in Python. A modified __init__.py file launches a background process that executes a hidden Python script named start.py located inside a secret _runtime directory.
The bootstrap script checks the host system architecture and downloads the Bun JavaScript runtime version 1.3.13 directly from GitHub. It then executes an 11.4 MB obfuscated JavaScript file named router_runtime.js. Security researchers identify this payload pattern as “Mini Shai-Hulud”, a mechanism that targeted SAP npm packages 24 hours earlier. Similar to the recent LiteLLM PyPI compromise, the malware aggressively targets developer credentials to pivot into wider infrastructure.
The payload scans the local filesystem for .env files, shell environment variables, and cloud API keys for AWS, GCP, and Azure using DefaultAzureCredential. It extracts saved credentials from Chrome, Firefox, and Brave browsers. The malware also plants persistence hooks inside VS Code and Claude Code by modifying local .claude/settings.json files.
Self-Propagation Mechanism
The malware includes a worm component designed to spread horizontally across the open-source ecosystem. If the exfiltration phase uncovers valid npm tokens or GitHub Personal Access Tokens, the script attempts to inject its dropper into every package the stolen credential has permission to modify.
The worm automatically bumps the patch version number of the target package and republishes it to the registry. This creates a waterfall effect where downstream users of the newly infected packages inadvertently download and further propagate the credential stealer, mirroring the blast radius seen in the Cisco Trivy supply chain breach.
Version Status and Mitigation
Lightning AI confirmed the compromise was isolated to their PyPI publishing channel. The official source code repository on GitHub remained secure throughout the incident. The malicious payload was live from 12:45:20 to 13:27:30 UTC.
| Package Status | Version | Publish Date |
|---|---|---|
| Malicious (Quarantined) | 2.6.3 | April 30, 2026 |
| Malicious (Quarantined) | 2.6.2 | April 30, 2026 |
| Safe (Current) | 2.6.1 | January 30, 2026 |
If your environment pulled the lightning package on April 30, force a downgrade to version 2.6.1 immediately. If the compromised package was imported even once, you must rotate all secrets reachable from that environment, audit recent commits for unexpected _runtime directories, and verify your build cache has not stored the malicious artifact.
Get Insanely Good at AI
The book for developers who want to understand how AI actually works. LLMs, prompt engineering, RAG, AI agents, and production systems.
Keep Reading
How to Cut CPU Costs with Cloudflare Workers Cache
You will learn how to configure Cloudflare Workers Cache to serve responses directly from entrypoints, handle invalidations, and partition cache keys.
PyPI and npm Purge 73 Fake Azure Packages Targeting AI Agents
Security researchers discovered 73 malicious PyPI and npm packages mimicking Microsoft Azure libraries to install credential stealers on AI coding agents.
Crypto Key Stealer Hidden in Usage Telemetry Hits Injective SDK
Attackers compromised a maintainer's GitHub account to inject wallet-stealing malware disguised as telemetry into the official Injective SDK on npm.
Miasma Worm Steals Cloud Keys via 32 Red Hat npm Packages
Attackers exploited a compromised Red Hat GitHub account to publish 32 malicious npm packages containing the Miasma credential-stealing worm.
AI Prompt Injection Masks Malware in 19 PyPI Science Packages
The Hades supply chain campaign compromised 19 bioinformatics and Graph ML libraries on PyPI with memory scrapers and AI scanner misdirection.