2026-05-04 00:00
← BackA malicious version of the PyTorch Lightning package published on the Python Package Index (PyPI) delivers a credential-stealing payload targeting browsers, environment files, and cloud services. The developer disclosed the supply-chain attack on April 30, saying that version 2.6.3 of the package included a hidden execution chain that downloads and executes a JavaScript payload. PyTorch Lightning is a deep learning framework used for pretraining and fine-tuning AI models. It is a popular package, amassing more than 11 million downloads last month. The security advisory from the maintainer notes that the malicious execution chain triggers automatically on import and silently spawns a background process. Spawning a background process Source: GitHub That process downloads a JavaScript runtime (‘Bun v1.3.13’) from GitHub, and executes a 11.4 MB heavily obfuscated JavaScript payload (‘router_runtime.js’). In a post over the weekend, Microsoft Threat Intelligence says that Defender detected and prevented the malicious routine on customer environments, and notified the package maintainer. The payload, which Defender detects as “ShaiWorm,” is an information-stealing malware that targets .env files, API keys, secrets, GitHub tokens, and data stored in Chrome, Firefox, and Brave browsers.
It also interacts with cloud service APIs (AWS, Azure, GCP) to steal credentials and supports arbitrary system command execution. “lightning==2.6.3 (published on PyPI as py3-none-any wheel) contains...
A malicious version of the PyTorch Lightning package published on the Python Package Index (PyPI) delivers a credential-stealing payload targeting browsers, environment files, and cloud services. The developer disclosed the supply-chain attack on April 30, saying that version 2.6.3 of the package included a hidden execution chain that downloads and executes a JavaScript payload. PyTorch Lightning is a deep learning framework used for pretraining and fine-tuning AI models. It is a popular package, amassing more than 11 million downloads last month. The security advisory from the maintainer notes that the malicious execution chain triggers automatically on import and silently spawns a background process. Spawning a background process Source: GitHub That process downloads a JavaScript runtime (‘Bun v1.3.13’) from GitHub, and executes a 11.4 MB heavily obfuscated JavaScript payload (‘router_runtime.js’). In a post over the weekend, Microsoft Threat Intelligence says that Defender detected and prevented the malicious routine on customer environments, and notified the package maintainer. The payload, which Defender detects as “ShaiWorm,” is an information-stealing malware that targets .env files, API keys, secrets, GitHub tokens, and data stored in Chrome, Firefox, and Brave browsers.
It also interacts with cloud service APIs (AWS, Azure, GCP) to steal credentials and supports arbitrary system command execution. “lightning==2.6.3 (published on PyPI as py3-none-any wheel) contains a hidden execution chain that silently downloads a JavaScript runtime (Bun) and executes an 11.4 MB heavily obfuscated JavaScript payload upon import lightning,” Lightning AI says in the security advisory. “This payload contains credential-stealing functionality targeting cloud providers, browsers, and environment files.” According to Microsoft's telemetry, the malicious activity affected "a small number of devices" and appears to have been "contained to a narrow set of environments." Lightning AI warns that users who ran ‘import lightning’ with version 2.6.3 may have had their secrets, keys, and tokens compromised. In this case, an immediate rotation of all secrets is strongly recommended. Currently, PyTorch Lightning has been reverted to 2.6.1 on PyPi, which is safe to use. At this time, it is unclear exactly how the supply-chain compromise occurred, and the package's publishers are currently investigating how the build/release pipeline was breached. Additionally, all other recent releases will be audited for similar payloads, and users will be notified via all available channels.