PyTorch Lightning PyPI Hijacked — Versions 2.6.2 and 2.6.3 Steal SSH Keys and Cloud Credentials

What is it?

On April 30 attackers pushed two compromised builds of the popular 'lightning' Python package (the deep-learning training framework with hundreds of thousands of downloads per day). The builds are part of the Mini Shai-Hulud supply-chain campaign that already hit Bitwarden CLI and SAP-related npm packages this week.

How does it work?

The malware lives in a hidden _runtime directory and is triggered from __init__.py the moment Python imports the package. It silently downloads Bun runtime 1.3.13, executes an 11 MB obfuscated payload (router_runtime.js), and exfiltrates SSH keys, shell histories, .env files, cloud creds (AWS/Azure/GCP), Discord/Slack tokens, kube/helm/npm configs, and crypto wallets. Stolen data is RSA-2048 encrypted and pushed to public GitHub repos. It also plants persistence hooks in .claude/ and .vscode/ and creates malicious GitHub Actions workflows to keep stealing repo secrets.

Why does it matter?

ML training environments are credential-rich and rarely sandboxed — fine-tuning a model usually means valid AWS, GitHub, and Hugging Face tokens are sitting in env vars. This is the first major Shai-Hulud-pattern attack to reach a marquee AI/ML training package. Anyone running pip installs over the last day needs to assume every long-lived token on that machine is burned.

Who is it for?

ML engineers, infra teams, anyone running pip install lightning in the last 24 hours

Try it

pip install lightning==2.6.1  # downgrade and rotate

Tags

• supply-chain
• pypi
• shai-hulud
• credential-theft
• pytorch-lightning
• malware
• bun
• ml-infrastructure
• incident