PyTorch Lightning Compromised: Versions 2.6.2 and 2.6.3 Pushed Mini Shai-Hulud Credential Stealer to PyPI on April 30, 2026
Two malicious versions of PyTorch Lightning — 2.6.2 and 2.6.3 — were published to PyPI on April 30, 2026, executing a credential stealer the moment the library is imported. The attack is part of the Mini Shai-Hulud campaign that has hit 1,800+ developers across PyPI, npm, and Packagist.
On , attackers published two malicious versions of pytorch-lightning — 2.6.2 and 2.6.3 — to the Python Package Index. The compromised wheels run a credential-stealing payload the moment the library is imported, harvesting GitHub tokens, npm credentials, SSH keys, cloud secrets, Kubernetes configs, and .env files. Researchers from Socket, Sonatype, Aikido, and Semgrep tie the campaign to Mini Shai-Hulud, the same self-replicating worm that hit SAP-related npm packages 24 hours earlier.
What Happened
Socket and Sonatype both flagged the malicious uploads within hours of their appearance on PyPI. The compromised distributions included a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload, plus a modified __init__.py that spawns a background process the instant import lightning runs. There is no visible output, no prompt, no opt-in — installation and a single import are enough to detonate the malware.
According to The Hacker News, the same campaign also poisoned intercom-client 7.0.4 on npm using a similar pre-install hook. SecurityWeek reports that 1,800+ developers across PyPI, npm, and Packagist have been affected so far. Lightning AI maintainers worked with PyPI administrators to quarantine the package and the malicious 2.6.2 / 2.6.3 versions have been removed; the latest safe release is 2.6.1.
Key Details
- Affected versions: pytorch-lightning
2.6.2and2.6.3on PyPI, plus[email protected]on npm and several SAP-related npm packages compromised the day before. - Trigger: Malware executes on import of the lightning module — no
postinstallneeded for PyPI; npm variants use a postinstall/preinstall hook. - Targets harvested: GitHub tokens, npm/PyPI auth, SSH keys, cloud credentials (AWS/GCP/Azure), Kubernetes contexts, HashiCorp Vault tokens, Docker credentials, and any
.envfile the process can read. - Self-replication: The npm vector modifies the developer's local packages with a hidden postinstall hook so any future
npm publishfrom that machine ships the malware downstream. - Scale: Over 1,800 developers impacted across the Mini Shai-Hulud campaign per SecurityWeek, with combined download counts in the millions across the affected packages.
- Status: Both bad versions deleted from PyPI; safe baseline is
pytorch-lightning==2.6.1.
What Developers and Users Are Saying
The Hacker News thread on the disclosure ran into the hundreds of comments, with the loudest reaction being frustration that import-time code execution in Python packages remains the industry's worst-kept supply-chain footgun. Several commenters pointed out that Socket opened a follow-up issue on the Lightning-AI repository warning users about the compromised versions — and that the issue was closed within one minute by an automated pl-ghost account that posted a "SILENCE DEVELOPER" meme in the thread, which researchers from Aikido attribute to the malware itself attempting to suppress disclosure.
On Reddit's r/MachineLearning and r/Python, the consensus is that this raises the bar from "check your npm install" to "audit every Python AI training run in the past 48 hours." Maintainers of competing frameworks (Hugging Face Accelerate, Ray Train) used the moment to highlight their lack of import-time side effects.
What This Means for Developers
If you ran pip install pytorch-lightning on April 30 or May 1, 2026 — or your CI pipeline did — assume that any credentials accessible to that process are compromised. The recommended response, echoed by Sonatype, Aikido, and the Lightning AI advisory, is:
- Pin
pytorch-lightning==2.6.1inrequirements.txt/pyproject.toml. - Rotate GitHub PATs, npm tokens, AWS/GCP keys, and any other credential present on affected machines.
- Audit recent
npm publishactivity from any developer machine that ran the malicious version — the worm modifies localpackage.jsonfiles to self-propagate. - Run an SCA scanner (Socket, Snyk, Sonatype) over your full transitive tree, not just direct dependencies.
- For CI: rebuild from a clean image and revoke the build-environment IAM role.
What's Next
The Mini Shai-Hulud campaign is still active. Researchers warn the worm's self-propagation logic means previously-clean packages may yet be hijacked through compromised maintainer credentials harvested in the past 72 hours. Lightning AI has published a GHSA-w37p-236h-pfx3 security advisory and PyPI is auditing related accounts. Expect follow-up disclosures from Socket and Sonatype in the coming days as the blast radius is mapped.
Sources
- The Hacker News — PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials — primary disclosure synthesis
- Socket — lightning PyPI Package Compromised in Supply Chain Attack — first detection writeup
- Sonatype — Malicious PyTorch Lightning Packages Found on PyPI — payload analysis
- Semgrep — Shai-Hulud Themed Malware in PyTorch Lightning — code-level breakdown
- Aikido — PyTorch Lightning Compromised by Mini Shai-Hulud — pl-ghost / SILENCE DEVELOPER details
- SecurityWeek — 1,800 Hit in Mini Shai-Hulud Attack on SAP, Lightning, Intercom — scale of the campaign
- GitHub Security Advisory GHSA-w37p-236h-pfx3 — official Lightning AI advisory
Stay up to date with Doolpa
Subscribe to Newsletter →