If you're building, training, or shipping AI models with PyTorch Lightning, check your installed version immediately — two freshly published releases of the lightning package on PyPI have been weaponised to silently steal credentials the moment you import the library.
Socket's research team today confirmed that versions 2.6.2 and 2.6.3 of the popular deep learning framework are malicious. Version 2.6.1, published January 30, 2026, is clean. Version 2.6.2, published today (April 30, 2026), is where the malicious code was introduced — and Socket's AI scanner flagged both versions as potentially malicious just eighteen minutes after publication.
The timing is critical. Lightning receives hundreds of thousands of downloads per day and millions per month, making this among the highest-impact PyPI compromises of the year.
What the malware actually does
The attack is surgical and stealthy. The malicious package hides a _runtime directory containing a downloader and an obfuscated JavaScript payload. The execution chain fires automatically the moment the lightning module is imported — no additional interaction required.
Under the hood, Socket's analysis found two core components: start.py, which downloads and executes Bun (a JavaScript runtime) directly from GitHub, and router_runtime.js — an 11 MB obfuscated payload that runs silently in a daemon thread with suppressed output.
The use of Bun to execute an obfuscated JavaScript payload is a hallmark of the Shai-Hulud worm family, and Socket flagged clear overlaps: the obfuscated JavaScript payload shares similarities with Shai-Hulud attacks, with overlapping targeted tokens, credentials, and obfuscation methods. Socket also found signs that router_runtime.js both poisons GitHub repositories and infect developer npm packages.
The payload's scope is broad: the JavaScript file contains over 703 references to process and env, more than 463 references to tokens and authentication, and 336 references to repositories — alongside credential exfiltration patterns consistent with the theft of developer and cloud credentials, and GitHub API abuse designed to commit encoded data to repositories using stolen tokens.
The GitHub cover-up
A community member first flagged the compromise in Lightning-AI's GitHub repository under issue #21689, describing the hidden execution chain. That issue was closed without a public explanation. Socket then opened a follow-up warning issue in the Lightning-AI/pytorch-lightning repository. It was closed within one minute by the pl-ghost account, which posted a "SILENCE DEVELOPER" meme in response. This behaviour strongly suggests the project's GitHub account is itself compromised.
Part of a larger wave
This attack doesn't exist in isolation. As Cyber Kendra has been tracking, the sprawling TeamPCP supply chain campaign has also compromised Checkmarx's KICS Docker images and Bitwarden's CLI npm package, with hackers leaving it live long enough to harvest AWS keys, GitHub tokens, and SSH credentials.
Just last week, three separate supply chain attacks hit npm, PyPI, and Docker Hub between April 21–23, all targeting the same prize: API keys, cloud credentials, SSH keys, and tokens from developer environments and CI/CD pipelines.
What you need to do right now
Socket recommends treating any environment that has installed and imported either 2.6.2 or 2.6.3 as fully compromised. The immediate checklist:
- Remove
lightning2.6.2 and 2.6.3 from all systems and downgrade to 2.6.1 - Rotate all credentials that may have been exposed — GitHub tokens, npm tokens, AWS/GCP/Azure keys, and any secrets stored in environment variables
- Audit your GitHub repositories for unexpected commits or encoded data
- Inspect CI/CD logs and developer machines where the package may have been imported
- Flag any npm packages published from affected machines for review, as the malware is capable of infecting npm tarballs
Socket is continuing its analysis and has pledged a deeper technical write-up as more indicators of compromise are confirmed.
This story is developing.