PyTorch Lightning PyPI Package Drops Credential Stealer

PyTorch Lightning v2.6.3 Was Backdoored on PyPI

A malicious version of PyTorch Lightning, one of the most downloaded deep learning packages on PyPI, was quietly pushing a credential stealer to developer machines. Version 2.6.3 of the package contained a hidden execution chain that fired automatically on import, downloaded a JavaScript runtime, and ran an 11.4 MB obfuscated payload in the background. The PyPI supply-chain attack was disclosed by the package maintainer on April 30, 2026.

PyTorch Lightning pulls over 11 million downloads per month. That reach makes this incident particularly serious for ML engineers, data scientists, and anyone running AI training pipelines.

How the Attack Chain Works

The mechanics here are worth understanding in detail. When a developer ran import lightning using version 2.6.3, the package silently spawned a background process without any visible output or error. That process fetched the Bun JavaScript runtime (v1.3.13) directly from GitHub, then used it to execute a file called router_runtime.js.

That JavaScript file is what Microsoft Threat Intelligence identifies as "ShaiWorm." It targets:

• .env files and local environment variables
• API keys, secrets, and GitHub tokens
• Saved credentials in Chrome, Firefox, and Brave
• Cloud service APIs including AWS, Azure, and GCP

The malware also supports arbitrary command execution on the compromised system. Running a single Python import was enough to trigger the full chain. No additional user interaction was required.

Microsoft says Defender detected and blocked the routine on affected customer machines and notified the Lightning AI maintainers. According to Microsoft's telemetry, impact was limited to "a small number of devices" in "a narrow set of environments," but the investigation is still ongoing.

What Developers Are Actually Risking

If you ran import lightning while version 2.6.3 was installed, your credentials may be gone. That includes anything sitting in .env files, shell history, browser credential stores, or cloud CLI configuration directories. The payload specifically went after cloud provider credentials, which means AWS IAM keys, GCP service account tokens, and Azure credentials could all be in attacker hands.

This is not a theoretical risk. Any secrets that existed on the machine at the time of import should be treated as compromised.

The broader concern is pipeline exposure. ML engineers frequently run training scripts in cloud environments with elevated permissions attached. A compromised machine in that context could hand attackers access to production infrastructure, training data, or model artifacts stored in cloud storage.

How to Protect Your Environment Now

Start by checking your installed version. Run pip show lightning and confirm you are not on 2.6.3. Lightning AI has reverted the package to version 2.6.1 on PyPI, which is clean.

If you did run 2.6.3, take these steps immediately:

1. Rotate all secrets, API keys, and tokens on every service the machine had access to.
2. Audit cloud IAM roles and check for unauthorized access in logs.
3. Revoke and regenerate GitHub personal access tokens.
4. Clear and reset saved browser credentials.
5. Review .env files and treat all contained values as exposed.

For teams running automated pipelines, pin your dependency versions explicitly and use hash verification in requirements.txt or pyproject.toml. Tools like pip-audit and dependency scanning in CI can catch known-malicious packages before they reach developer machines. You can also scan your web-facing applications for exposed secrets and vulnerable endpoints at /scan.

Supply-chain attacks on popular packages are becoming a repeatable playbook. Reviewing your dependency hygiene now is worth the time. For more on this attack vector, see our coverage of PyPI supply-chain attacks.

How do I know if I ran the malicious version? Check your pip history or virtual environment logs. If lightning==2.6.3 appears anywhere in your installed packages or lock files, assume you were affected and rotate all secrets immediately.

Is the current version of PyTorch Lightning safe to install? Yes. Lightning AI has reverted to version 2.6.1 on PyPI, which does not contain the malicious payload. Avoid 2.6.3 entirely.

How did the attacker get the backdoor into the package? That is still under investigation. The build and release pipeline was compromised somehow, but Lightning AI has not confirmed the exact entry point. All recent releases are being audited for similar payloads.

Run your environment through VibeWShield's automated scanner at /scan to check for exposed secrets and supply-chain risk in your web applications.