By ByteBot
On April 30, 2026, versions 2.6.2 and 2.6.3 of PyTorch Lightning—one of the most popular AI training libraries on PyPI with millions of monthly downloads—were compromised with credential-stealing malware. The attack executes automatically when developers import the package, downloads a JavaScript runtime, and exfiltrates SSH keys, cloud credentials, GitHub tokens, and cryptocurrency wallets to attacker-controlled repositories. Security researchers detected the malware 18 minutes after publication, but hundreds of thousands of downloads had already occurred, making this one of the highest-impact PyPI supply chain attacks of 2026.
What Developers Must Do Now
If you have Lightning 2.6.2 or 2.6.3 installed, treat your system as fully compromised. The malware executes the moment you run import lightning—no additional user interaction required. Check your version with pip show lightning, uninstall immediately if you have 2.6.2 or 2.6.3, and downgrade to version 2.6.1, the last clean release published on January 30, 2026. More critically, rotate every credential on affected systems: GitHub tokens, cloud access keys for AWS, GCP, and Azure, SSH keys, npm tokens, and any secrets stored in environment variables. The malware targets cryptocurrency wallets too. Audit your GitHub repositories for unauthorized commits—attackers create repos with “A Mini Shai-Hulud has Appeared” in the description. PyPI has quarantined the package and maintainers are investigating.
Cross-Ecosystem Attack: JavaScript Malware in Python
The attack represents a new evolution in supply chain threats. Malicious code injected into Lightning’s __init__.py file spawns a background thread that downloads the Bun JavaScript runtime from GitHub, then executes an 11 MB obfuscated JavaScript payload. This cross-ecosystem technique—using JavaScript malware inside a Python package—makes detection significantly harder. The payload harvests SSH keys, shell histories, cloud credentials, Kubernetes configs, Docker credentials, and more. It exfiltrates stolen data by committing it to attacker-controlled GitHub repositories using the victim’s own credentials. Socket’s AI scanner flagged the malicious packages, but hundreds of thousands of developers had already downloaded infected versions in that window.
Mini Shai-Hulud Campaign Crosses Ecosystems
This incident isn’t isolated. Security researchers attribute the attack to the “Mini Shai-Hulud” campaign, named after the sandworms from Dune, operated by the financially motivated threat actor TeamPCP. The campaign started with compromised SAP-related npm packages on April 29, then jumped to PyPI the next day. On the same day Lightning was hit, the Intercom-Client package also fell victim to the same malware. OX Security reports 8.3 million combined downloads were compromised. Between April 21-23, three separate supply chain attacks hit npm, PyPI, and Docker Hub in just 48 hours. The AI and machine learning ecosystem has become a prime target in 2026, with earlier compromises of LiteLLM and the torchtriton PyTorch dependency following the same pattern: high-value developers with cloud access and credentials worth stealing.
18 Minutes Is Fast, But Not Fast Enough
Here’s the uncomfortable question the industry isn’t asking loudly enough: if AI-powered security tools can detect malware in 18 minutes, why did hundreds of thousands of people download infected packages? Lightning receives hundreds of thousands of downloads per day. Socket’s detection was technically impressive—18 minutes is faster than most human-driven security reviews. But from a user perspective, 18 minutes of unrestricted distribution for a package this popular means the damage was already catastrophic by the time the alarm bells rang. PyPI quarantined the project within hours, but “hours” doesn’t matter when automated CI/CD pipelines pull dependencies every minute. We’re celebrating detection speed while ignoring that reactive security fundamentally cannot protect users of popular packages.
PyPI Faces npm-Style Supply Chain Warfare
The Python ecosystem is now experiencing the same supply chain warfare that plagued npm for years, but with higher stakes. PyPI implemented mandatory 2FA for package maintainers in 2024, yet attackers still compromised Lightning, likely through stolen CI/CD tokens or direct account takeover. The AI and machine learning developer community represents an especially lucrative target: they typically have access to expensive cloud GPU infrastructure, research data, and production ML pipelines. Defenders are adapting with Trusted Publishing via OIDC to eliminate long-lived API tokens, and pip version 26 introduced the --uploaded-prior-to flag to avoid recently published packages. But these are defensive measures in a war where attackers evolve faster than security practices.
Supply chain security is no longer someone else’s problem. Developers can’t blindly trust popular packages anymore. Pin exact versions in your requirements.txt. Treat dependency updates as security events requiring review and testing, not automatic acceptance. Use security scanning tools like Socket, Snyk, or Semgrep in your CI/CD pipelines. Consider private PyPI mirrors for production systems. The era of pip install and trust is over. Every import is now a potential attack vector, and Lightning’s compromise proves that popularity offers no protection—it just makes you a bigger target.
