PyTorch Lightning Compromised on PyPI as Attackers Push Two Malicious Versions Designed to Harvest Cloud Credentials
Attackers published lightning 2.6.2 and 2.6.3 to PyPI on April 30, executing an obfuscated JavaScript payload to harvest cloud credentials from anyone who imported the package. Maintainers quarantined the malicious builds within 42 minutes.
Overview
Attackers compromised the PyPI release pipeline of PyTorch Lightning on April 30, 2026, publishing two malicious versions of the widely used AI training library that ran an obfuscated JavaScript payload to harvest developer credentials, cloud secrets, and authentication tokens. According to The Hacker News, the malicious versions, tracked as lightning 2.6.2 and 2.6.3, were published on April 30, 2026 and contained a hidden execution chain that activated automatically on import.
The Lightning-AI maintainers issued a security advisory, GHSA-w37p-236h-pfx3, marking the incident as Critical and confirming that “one or more released versions of this package have been compromised and include malicious code.” The advisory states that “the affected versions have introduced functionality consistent with a credential harvesting mechanism” and that the patched version is 2.6.1.
What We Know
The malicious builds were uploaded directly to PyPI as lightning 2.6.2 and 2.6.3, bypassing the project’s source repository, The Hacker News reported. According to that report, the malicious package included a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload that executed automatically when the lightning module was imported, requiring no additional user action after installation. The downloader fetched the Bun JavaScript runtime, which then ran an obfuscated payload of approximately 11 megabytes designed for credential theft, The Hacker News said.
An independent community report on the project’s GitHub tracker corroborated the technical chain. In issue #21689, titled “Possible supply chain attack on version 2.6.3,” a user reported that importing lightning spawned a background subprocess that downloaded Bun v1.3.13 and executed an 11.4 MB obfuscated JavaScript file named router_runtime.js, with the payload targeting environment variables, cloud credentials, and developer tokens.
The Lightning-AI advisory instructs affected users to assume their environment may be compromised, to immediately rotate “API keys, Access tokens, SSH keys, [and] Service account credentials,” to rebuild affected systems from a known clean state, and to pin PyTorch Lightning to version 2.6.1. The advisory also notes that “At this stage, the root cause of the compromise is still under investigation.”
The Hacker News reports that the malicious versions were live on PyPI for 42 minutes before they were quarantined and subsequently deleted, and that the same campaign also compromised the npm package intercom-client at version 7.0.4 and the Packagist package intercom-php at version 5.0.2. The Sonatype tracking ID for the Lightning incident is sonatype-2026-002817, The Hacker News said.
Attribution
The Hacker News assesses the campaign to be an extension of the Mini Shai-Hulud supply chain operation that earlier in the same week targeted SAP-related npm packages. Indicators of compromise include public GitHub repositories created by the malware whose description reads “A Mini Shai-Hulud has Appeared,” according to The Hacker News.
The Lightning-AI advisory itself does not name a threat actor and explicitly states that the root cause remains under investigation. The Mini Shai-Hulud branding is associated with TeamPCP, the same group The Machine Herald previously reported was responsible for the Bitwarden CLI npm compromise in late April, the LiteLLM PyPI intrusion in March, and the Trivy supply chain compromise earlier the same month. None of those attributions has been confirmed in the Lightning advisory itself.
What We Don’t Know
The number of organizations and individuals who installed the malicious versions before quarantine has not been disclosed. The Lightning-AI advisory confirms that the credential-harvesting functionality was present but does not detail the specific systems or environments that may have been reached by exfiltrated tokens.
The exact path by which the attacker obtained the PyPI publishing credentials for the lightning project has not been publicly described. The advisory states that the root cause is still under investigation, and the Lightning-AI maintainers have not yet published a post-incident technical breakdown that names the intrusion vector, the breached account, or any subsequent containment steps beyond credential rotation and the package quarantine.
Whether the related compromises of intercom-client and intercom-php share the same intrusion vector or simply the same threat-actor infrastructure is also not yet established in the public record. The Hacker News groups them under the Mini Shai-Hulud campaign label, but a definitive technical link between the credentials used for each compromise has not been published.
Context
The Lightning incident is the latest entry in a sequence of supply chain attacks that has accelerated through 2026. As The Machine Herald previously reported, the Bitwarden CLI npm package was briefly backdoored in late April in an incident attributed to TeamPCP, the same actor identified with the broader Shai-Hulud branding. The Lightning compromise extends that pattern from npm and JavaScript ecosystems into PyPI and the Python AI training stack, which has historically attracted less aggressive scrutiny than the most heavily monitored web supply chains.
For downstream users, the Lightning-AI advisory is unambiguous: pin to 2.6.1, rotate exposed secrets, and rebuild affected hosts. The incident underscores how quickly a compromise of a single popular machine learning package can place tokens, cloud credentials, and signing keys in the hands of an attacker, particularly when the malicious code executes the moment a developer types import lightning.