Backdoored PyTorch Lightning Package Drops Credential Stealer

Supply‑chain attacks on open‑source ecosystems have surged, and the PyTorch Lightning incident underscores the vulnerability of widely adopted AI libraries. PyPI, the default repository for Python packages, serves millions of developers daily, making any malicious upload a potential vector for mass exploitation. When a popular framework like Lightning—used for rapid model prototyping and production—gets compromised, the attack surface expands beyond a single organization to any project that imports the tainted version.

The malicious v2.6.3 package embeds a covert chain that pulls the Bun JavaScript runtime from GitHub and executes a heavily obfuscated script named "router_runtime.js." This script, identified as ShaiWorm by Microsoft Threat Intelligence, harvests secrets from environment files, browser stores (Chrome, Firefox, Brave) and cloud provider APIs such as AWS, Azure, and GCP. Microsoft Defender detected and blocked the payload on a limited set of devices, but the rapid download count—over 11 million installations in the preceding month—means a substantial number of developers could have been exposed before the threat was neutralized.

Lightning AI’s swift rollback to version 2.6.1 and the recommendation to rotate all credentials illustrate the immediate remediation steps required after a supply‑chain breach. The episode also highlights the need for stronger provenance checks, reproducible builds, and continuous monitoring of third‑party dependencies in AI workflows. Organizations should enforce strict version pinning, employ automated scanning tools for malicious code, and educate developers on the risks of importing packages without verification, thereby safeguarding both their models and the cloud resources they depend on.