Backdoored PyTorch Lightning Package Drops Credential Stealer

What happened

A malicious version of the PyTorch Lightning deep learning framework was published to PyPI on April 30, 2026, containing a hidden execution chain that silently downloads and executes a credential-stealing payload. The compromised version is 2.6.3, and the package maintainer disclosed the supply chain attack the same day. PyTorch Lightning has over 11 million monthly downloads.

The malicious execution chain triggers automatically when the package is imported, spawning a background process that downloads a JavaScript runtime from GitHub and executes an 11.4 MB heavily obfuscated JavaScript payload named router_runtime.js. Microsoft Threat Intelligence identified the payload as ShaiWorm, an information stealer that targets environment files, API keys, secrets, GitHub tokens, and data stored in Chrome, Firefox, and Brave browsers. It also interacts with cloud service APIs across AWS, Azure, and GCP to steal credentials and supports arbitrary system command execution.

Microsoft Defender detected and prevented the malicious routine on customer environments and notified the package maintainer. Microsoft’s telemetry indicates the malicious activity affected a small number of devices and appears contained to a narrow set of environments. The package has been reverted to version 2.6.1 on PyPI, which is confirmed safe. How the build and release pipeline was compromised is still under investigation, and all other recent releases are being audited for similar payloads.

Who is affected

Any developer or organization that ran import lightning with version 2.6.3 installed may have had secrets, keys, tokens, and browser-stored credentials compromised. AI and machine learning teams using PyTorch Lightning for model pretraining or fine-tuning are the primary affected population. Cloud environments where the affected package was installed face potential credential exposure across AWS, Azure, and GCP.

Why CISOs should care

PyTorch Lightning is a foundational tool in AI and machine learning development environments, where it is imported routinely as part of model training workflows. A payload that triggers on import without requiring any additional user action, runs as a background process, and targets cloud credentials alongside browser data can exfiltrate sensitive material before any alert fires. The ShaiWorm designation connects this incident to the broader Shai-Hulud supply chain campaign that has been targeting developer tooling across multiple ecosystems in recent weeks.

For organizations running AI workloads in cloud environments, compromised cloud credentials obtained from a development machine can provide direct access to production infrastructure, training data, and model artifacts.

3 practical actions

1. Downgrade PyTorch Lightning to version 2.6.1 immediately and rotate all secrets on affected systems: Any environment where version 2.6.3 was installed and import lightning was executed should be treated as compromised. Rotate all API keys, GitHub tokens, cloud credentials, and secrets present in environment files on those systems regardless of whether Defender flagged the activity, as telemetry coverage varies across environments.
2. Audit AI and ML development environments for ShaiWorm indicators: Microsoft has published detection information under the ShaiWorm designation. Review endpoint telemetry for unexpected Bun JavaScript runtime downloads from GitHub, execution of router_runtime.js, and anomalous outbound connections to cloud service APIs from development machines running PyTorch Lightning.
3. Implement integrity verification for PyPI packages used in AI development pipelines: The PyTorch Lightning compromise followed a pattern consistent with the broader Shai-Hulud supply chain campaign. Establish hash-pinned dependency requirements for packages used in AI and ML workflows, and implement CI/CD pipeline checks that verify package integrity against known-good digests before installation.