A malicious version of the PyTorch Lightning package published on the Python Package Index (PyPI) delivers a credential-stealing payload targeting browsers, environment files, and cloud services.
The developer disclosed the supply-chain attack on April 30, saying that version 2.6.3 of the package included a hidden execution chain that downloads and executes a JavaScript payload.
PyTorch Lightning is a deep learning framework used for pretraining and fine-tuning AI models. It is a popular package, amassing more than 11 million downloads last month.
The security advisory from the maintainer notes that the malicious execution chain triggers automatically on import and silently spawns a background process.
Source: GitHub
That process downloads a JavaScript runtime (‘Bun v1.3.13’) from GitHub, and executes a 11.4 MB heavily obfuscated JavaScript payload (‘router_runtime.js’).
In a post over the weekend, Microsoft Threat Intelligence says that Defender detected and prevented the malicious routine on customer environments, and notified the package maintainer.
The payload, which Defender detects as “ShaiWorm,” is an information-stealing malware that targets .env files, API keys, secrets, GitHub tokens, and data stored in Chrome, Firefox, and Brave browsers.
It also interacts with cloud service APIs (AWS, Azure, GCP) to steal credentials and supports arbitrary system command execution.
“lightning==2.6.3 (published on PyPI as py3-none-any wheel) contains a hidden execution chain that silently downloads a JavaScript runtime (Bun) and executes an 11.4 MB heavily obfuscated JavaScript payload upon import lightning,” Lightning AI says in the security advisory.
“This payload contains credential-stealing functionality targeting cloud providers, browsers, and environment files.”
According to Microsoft’s telemetry, the malicious activity affected “a small number of devices” and appears to have been “contained to a narrow set of environments.”
Lightning AI warns that users who ran ‘import lightning’ with version 2.6.3 may have had their secrets, keys, and tokens compromised. In this case, an immediate rotation of all secrets is strongly recommended.
Currently, PyTorch Lightning has been reverted to 2.6.1 on PyPi, which is safe to use.
At this time, it is unclear exactly how the supply-chain compromise occurred, and the package’s publishers are currently investigating how the build/release pipeline was breached.
Additionally, all other recent releases will be audited for similar payloads, and users will be notified via all available channels.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
