A malicious PyTorch Lightning update (v2.6.3) on PyPI spread briefly, stealing credentials and raising major concerns about AI supply chain security.
A malicious update of the PyTorch Lightning library exposed developers to credential theft and remote compromise. Attackers uploaded version 2.6.3 to the Python Package Index (PyPI), where it spread among developers before maintainers removed it at the end of April.
PyTorch Lightning is an open-source framework built on top of PyTorch that simplifies how developers train and deploy deep learning models.
Given the library’s popularity in AI development, the incident raised serious concerns about the security of software supply chains.
The compromised package executed hidden code as soon as developers imported it. It launched a background process, downloaded a JavaScript runtime (Bun), and ran a large, heavily obfuscated payload. Microsoft identified the malware as ShaiWorm, a credential stealer designed to extract sensitive information from infected systems.
“lightning==2.6.3 (published on PyPI as py3-none-any wheel) contains a hidden execution chain that silently downloads a JavaScript runtime (Bun) and executes an 11.4 MB heavily obfuscated JavaScript payload upon import lightning. This payload contains credential-stealing functionality targeting cloud providers, browsers, and environment files.” reads the advisory.
The malware targeted a wide range of data. It searched for .env files, API keys, GitHub tokens, and credentials stored in browsers like Chrome, Firefox, and Brave. It also collected access keys for major cloud platforms, including AWS, Azure, and Google Cloud. Beyond data theft, the malware allowed attackers to execute arbitrary commands on the system, effectively giving them full control over compromised environments.
Lightning AI quickly warned users about the risk. The company advised anyone who used version 2.6.3 to rotate all credentials and secrets immediately. It removed the malicious release and replaced it with a safe version. At the same time, Microsoft Defender detected and blocked the threat on affected endpoints, limiting its spread to a relatively small number of systems.
It is still unclear how attackers managed to insert the backdoor. Lightning AI continues to examine whether a compromised developer account, build system, or third-party dependency enabled the attack. The company also audits other recent releases to ensure no additional malicious code remains.
“Observed activity remains limited to a small number of devices and appear contained to a narrow set of environments.” states Microsoft. “We are also investigating container-based telemetry and registry-related signals that may indicate potential compromise in some scenarios.”
This incident shows how attackers increasingly target trusted components in the AI and Python ecosystems. Widely used libraries offer an efficient entry point, allowing attackers to reach many developers at once. It highlights the need for stronger safeguards, including dependency verification, runtime monitoring, and stricter controls around software distribution and updates.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, PyTorch Lightning)
