PyTorch Lightning 2.6.2 Drops Self-Spreading Credential Stealer

On April 30, 2026, threat actors hijacked the PyPI publishing credentials for the PyTorch Lightning framework, releasing a self-propagating credential stealer embedded in versions 2.6.2 and 2.6.3. The supply-chain attack compromised the lightning package, which averages over 11 million monthly downloads, for 42 minutes before PyPI administrators quarantined the releases. Microsoft Defender telemetry indicates the impact was contained to a small number of specific developer environments.

Payload Execution Chain

Unlike typical supply-chain attacks that execute during the installation phase, this malware runs automatically upon invoking import lightning in Python. A modified __init__.py file launches a background process that executes a hidden Python script named start.py located inside a secret _runtime directory.

The bootstrap script checks the host system architecture and downloads the Bun JavaScript runtime version 1.3.13 directly from GitHub. It then executes an 11.4 MB obfuscated JavaScript file named router_runtime.js. Security researchers identify this payload pattern as “Mini Shai-Hulud”, a mechanism that targeted SAP npm packages 24 hours earlier. Similar to the recent LiteLLM PyPI compromise, the malware aggressively targets developer credentials to pivot into wider infrastructure.

The payload scans the local filesystem for .env files, shell environment variables, and cloud API keys for AWS, GCP, and Azure using DefaultAzureCredential. It extracts saved credentials from Chrome, Firefox, and Brave browsers. The malware also plants persistence hooks inside VS Code and Claude Code by modifying local .claude/settings.json files.

Self-Propagation Mechanism

The malware includes a worm component designed to spread horizontally across the open-source ecosystem. If the exfiltration phase uncovers valid npm tokens or GitHub Personal Access Tokens, the script attempts to inject its dropper into every package the stolen credential has permission to modify.

The worm automatically bumps the patch version number of the target package and republishes it to the registry. This creates a waterfall effect where downstream users of the newly infected packages inadvertently download and further propagate the credential stealer, mirroring the blast radius seen in the Cisco Trivy supply chain breach.

Version Status and Mitigation

Lightning AI confirmed the compromise was isolated to their PyPI publishing channel. The official source code repository on GitHub remained secure throughout the incident. The malicious payload was live from 12:45:20 to 13:27:30 UTC.

Package Status	Version	Publish Date
Malicious (Quarantined)	2.6.3	April 30, 2026
Malicious (Quarantined)	2.6.2	April 30, 2026
Safe (Current)	2.6.1	January 30, 2026

If your environment pulled the lightning package on April 30, force a downgrade to version 2.6.1 immediately. If the compromised package was imported even once, you must rotate all secrets reachable from that environment, audit recent commits for unexpected _runtime directories, and verify your build cache has not stored the malicious artifact.