A malicious PyTorch Lightning update (v2.6.3) on PyPI spread briefly, exposing developers to credential theft before maintainers removed it at the end of April. The compromised package executed hidden code on import, launching a background process that downloaded a JavaScript runtime (Bun) and ran an 11.4 MB heavily obfuscated payload, which Microsoft identified as ShaiWorm, a credential stealer designed to extract data from infected systems.
The malware targeted a wide range of data, including .env files, API keys, GitHub tokens, and credentials stored in browsers such as Chrome, Firefox, and Brave, and it also sought access keys for major cloud platforms like AWS, Azure, and Google Cloud.
Lightning AI urged users of version 2.6.3 to rotate all credentials and secrets immediately, removed the malicious release, and replaced it with a safe version, while Microsoft Defender reported protection against the threat on affected endpoints, noting the spread was limited to a relatively small number of systems according to Microsoft Defender.
The incident underscores how trusted components in AI and Python ecosystems can become entry points, with authorities investigating whether a compromised developer account, build system, or third-party dependency enabled the attack. According to Microsoft Defender, observed activity remained limited and the investigation continues into potential container-based telemetry and registry signals.