PyTorch Lightning 2.6.3 on PyPI shipped ShaiWorm credential stealer via import hook

A trojaned build of PyTorch Lightning (version 2.6.3) was published to PyPI carrying a hidden execution chain that fired on import. The chain pulled down the Bun JavaScript runtime (v1.3.13) from GitHub and ran an 11.4 MB obfuscated payload Microsoft Defender flagged as ShaiWorm. Targets included .env files, API keys, GitHub tokens, browser data from Chrome, Firefox, and Brave, and credentials harvested via AWS, Azure, and GCP APIs, with arbitrary command execution as a bonus.

The blast radius matters because PyTorch Lightning pulled over 11 million downloads last month as a core framework for AI model pretraining and fine-tuning. Microsoft’s telemetry reports the malicious activity hit only a narrow set of environments before Defender intercepted it and the maintainer was notified. Lightning AI has reverted PyPI to the clean 2.6.1 release.

The initial vector — how the build/release pipeline was breached — is still under investigation, and recent releases are being audited for similar implants. Anyone who executed ‘import lightning’ against 2.6.3 should treat all reachable secrets, tokens, and cloud credentials as compromised and rotate them immediately.