Backdoored PyTorch Lightning Package Drops 'ShaiWorm' Credential Stealer
A malicious version of the popular PyTorch Lightning AI framework was found on PyPI, containing a hidden, credential-stealing payload linked to a broader, cross-ecosystem supply-chain attack.
A malicious version of the PyTorch Lightning package, a widely used deep learning framework, was recently discovered on the Python Package Index (PyPI) containing a hidden, credential-stealing payload. The compromised version, 2.6.3, was identified by the package maintainers, who disclosed the supply-chain attack on April 30 BleepingComputer.
The attack functions through a hidden execution chain that triggers automatically upon importing the library. Once executed, the package silently spawns a background process that downloads the Bun JavaScript runtime (version 1.3.13) from GitHub BleepingComputer. This runtime is then used to execute a heavily obfuscated, 11.4 MB JavaScript file named `router_runtime.js` BleepingComputer. Microsoft Threat Intelligence, which detected and blocked the activity, identified this payload as "ShaiWorm," an information-stealing malware designed to harvest sensitive data BleepingComputer.
The ShaiWorm malware is highly capable, targeting environment files (`.env`), API keys, GitHub tokens, and credentials stored within browsers such as Chrome, Firefox, and Brave BleepingComputer. Furthermore, the malware can interact with cloud service APIs—including AWS, Azure, and GCP—to exfiltrate credentials and execute arbitrary system commands BleepingComputer.
This incident is part of a broader, aggressive campaign known as the "Mini Shai-Hulud" worm, which has demonstrated the ability to propagate across multiple software ecosystems, including npm, PyPI, and Packagist SANS Internet Storm Center. Security researchers at Wiz have attributed this campaign to a threat actor group known as "TeamPCP," citing a shared RSA public key linked to previous operations SANS Internet Storm Center. During this two-day campaign, the worm reportedly compromised various official packages, including those from SAP, and utilized stolen credentials to create approximately 1,800 GitHub repositories SANS Internet Storm Center.
While Microsoft telemetry suggests the impact on PyTorch Lightning users was limited to a "small number of devices," the potential for compromise is significant BleepingComputer. Lightning AI has reverted the package to version 2.6.1, which is considered safe, and strongly advises any users who ran version 2.6.3 to immediately rotate all secrets, keys, and tokens that may have been exposed BleepingComputer.
The investigation into how the build and release pipeline was breached remains ongoing, with maintainers planning to audit other recent releases for similar malicious activity BleepingComputer. This attack highlights the growing risk of cross-ecosystem supply-chain propagation, where automated tools are increasingly weaponized to compromise developer environments and cloud infrastructure at scale SANS Internet Storm Center.