A malicious version of the widely used AI and machine learning framework PyTorch Lightning has been discovered on the Python Package Index (PyPI), containing hidden malware designed to steal credentials and sensitive data from developer and cloud environments.
The compromised versions – lightning==2.6.2 & 2.6.3 – automatically executes malicious code when imported into a Python project. Behind the scenes, it silently downloads additional components and launches an obfuscated payload known as ShaiWorm.
Although the number of confirmed infections currently appears limited, the incident has generated significant concern across the cyber security community due to the popularity of the package, which receives more than 11 million downloads per month.
The incident is being treated as a major software supply chain compromise, highlighting the growing risks associated with trusted open-source dependencies used in AI, development, and cloud infrastructure environments.
What Happened?
PyTorch Lightning is a popular framework used by developers and data scientists to simplify AI and machine learning projects.
Attackers managed to publish a malicious version of the package to PyPI – the central repository developers use to download Python software packages.
Any system that installed and executed:
import lightning
while using version 2.6.2 or 2.6.3 may have unknowingly triggered the malware.
Unlike traditional malware that relies on users opening suspicious files or clicking malicious links, this attack abused the trust developers place in legitimate software packages.
How the Attack Worked
The malicious package contained a hidden execution chain designed to avoid detection.
When the package was imported:
A background process was launched silently
The package downloaded an additional runtime environment from GitHub
A heavily obfuscated JavaScript payload was executed
The malware began searching for credentials and sensitive data
This approach is notable because the attack crossed multiple technologies:
Python package
JavaScript payload
Secondary runtime execution
This makes detection significantly harder for traditional security tooling, which may not expect JavaScript activity inside Python development environments.
What Data Was Targeted?
The malware – identified as ShaiWorm – focused heavily on credential theft and cloud access.
Targets included:
Environment variable files (.env)
API keys
GitHub authentication tokens
AWS, Azure, and Google Cloud credentials
Browser-stored passwords and session data
Developer secrets stored locally
The malware also supported:
Remote command execution
Runtime persistence
Interaction with cloud APIs
In simple terms, the attackers were attempting to steal the keys needed to access development platforms, cloud infrastructure, and potentially production environments.
Why This Matters
This incident is particularly significant because it targets the modern AI and cloud development ecosystem.
Many organisations now rely heavily on:
Open-source AI tooling
Automated build pipelines
Cloud-hosted development environments
Shared credentials and tokens
A compromised package inside a trusted dependency chain can rapidly lead to:
Cloud account compromise
Data theft
Lateral movement
Access to proprietary AI models
Exposure of sensitive development environments
For organisations building or hosting AI systems, the potential impact extends far beyond a single infected workstation.
Current Risk Assessment
Microsoft telemetry suggests the number of confirmed infections remains relatively small at this stage.
However, the risk remains high due to:
The popularity of the package
Widespread use in production AI environments
Access to sensitive cloud infrastructure
The stealthy nature of the malware
Any organisation that imported lightning==2.6.2 or 2.6.3 should assume credentials may have been exposed.
Recommended Actions
Immediate Actions Organisations should:
Identify systems running lightning==2.6.2 or 2.6.3
Treat affected systems as potentially compromised
Rotate:
API keys
GitHub tokens
Cloud credentials
Environment secrets
Revoke and reissue cloud access tokens where appropriate
Containment & Investigation
Isolate affected systems from the network
Review logs for suspicious process execution
Investigate for signs of persistence or lateral movement
Conduct forensic analysis where possible
Longer-Term Measures This incident reinforces the importance of:
Dependency pinning
Package integrity verification
Software allow-listing
Strong DevSecOps controls
Monitoring developer environments as high-value assets
Organisations should also review how open-source dependencies are introduced into development and production environments.
Analyst Assessment
This represents a high-impact software supply chain compromise affecting a widely trusted AI framework.
While the currently observed infection scope appears limited, the potential blast radius is substantial due to the package’s extensive adoption across AI, development, and cloud-integrated environments.
The attacker’s focus on credential theft and cloud access strongly suggests an objective of enabling downstream compromise and persistence inside enterprise infrastructure.
For UK organisations – particularly those operating AI, research, or cloud-heavy environments – this incident should serve as a reminder that developer tooling and open-source dependencies now represent a critical attack surface.
Priority should be placed on:
Strengthening software supply chain visibility
Enforcing strict dependency controls
Monitoring developer environments
Ensuring rapid credential rotation capabilities in the event of compromise
Reducing Risk from Modern Supply Chain Attacks
Incidents like the PyTorch Lightning compromise highlight why organisations need more than traditional antivirus and reactive monitoring. NormCyber’s Managed Detection and Response (MDR) service provides 24/7 threat monitoring and expert-led investigation designed to identify sophisticated attacks before they escalate into full-scale breaches.
From detecting unusual developer activity and credential theft attempts to uncovering suspicious cloud access and lateral movement, our SOC analysts help organisations respond quickly to modern threats targeting AI, cloud, and software supply chains. As attackers increasingly exploit trusted tools and open-source ecosystems, having continuous visibility across endpoints, identities, and cloud environments is critical. To learn how NormCyber MDR helps organisations detect, contain, and respond to advanced cyber threats in real time, visit our Managed Detection and Response service page.
