Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PyTorch Lightning hit by network compromise

Incident
First reported
Last updated
Happening score
H score 14
1 unique sources, 1 articles

Summary

Hide ▲

A malicious PyTorch Lightning release on PyPI created a supply-chain compromise that can steal credentials as soon as the package is imported. The backdoored version 2.6.3 uses a hidden execution chain to download Bun v1.3.13 and run an obfuscated payload. That payload targets .env files, browser-stored secrets, and AWS, Azure, and GCP credentials, putting developer and cloud accounts at risk. Microsoft Threat Intelligence says Defender detected and blocked the activity on a small number of devices, and the package was reverted to 2.6.1.

Related Happenings

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Node-ipc malicious versions with stealer/backdoor payload

Malware Activity
First: 14.05.2026 20:22 Last: 14.05.2026 20:22 Sources 1

About this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Lightning PyPI router_runtime.js credential-stealing payload

Malware Activity
First: 30.04.2026 19:31 Last: 30.04.2026 19:31 Sources 1

How related: That process downloads a JavaScript runtime (‘Bun v1.3.13’) from GitHub, and executes a 11.4 MB heavily obfuscated JavaScript payload (‘router_runtime.js’).

About this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...

Latest development: 04.05.2026 20:15

Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.

Open Happening

Mini Shai-Hulud SAP-related npm supply-chain campaign

Campaign
First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...

Latest development: 12.05.2026 11:50

Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.

Open Happening

Timeline

  1. 04.05.2026 20:15 2 articles · 23d ago

    Lightning AI discloses malicious PyTorch Lightning 2.6.3

    Initial Disclosure

    Lightning AI discloses that PyTorch Lightning 2.6.3 on PyPI contains a hidden execution chain that triggers on import, downloads a JavaScript runtime, and runs an obfuscated payload tied to credential theft from browsers, .env files, and cloud services.

    Show sources
    Open in new tab
  2. 04.05.2026 20:15 1 articles · 23d ago

    Microsoft Defender detects and blocks ShaiWorm on customer devices

    Detection Ioc Update

    Microsoft Threat Intelligence reports that Defender detected and prevented the malicious PyTorch Lightning routine in customer environments, notified the maintainer, and observed activity affecting a small number of devices in a narrow set of environments.

    Show sources
    Open in new tab
  3. 04.05.2026 20:15 1 articles · 23d ago

    PyTorch Lightning reverts package to 2.6.1 on PyPI

    Mitigation Patch Update

    PyTorch Lightning has been reverted to 2.6.1 on PyPI, which is described as safe to use, while users who imported 2.6.3 are advised to rotate all secrets, keys, and tokens that may have been exposed.

    Show sources
    Open in new tab