PyTorch Lightning amassed more than 11 million downloads last month — and one of its PyPI releases, version 2.6.3, concealed a credential‑stealing backdoor that runs automatically when the package is imported.
The backdoor in lightning==2.6.3
Lightning AI, the package maintainer, disclosed on April 30 that lightning==2.6.3 “contains a hidden execution chain that silently downloads a JavaScript runtime (Bun) and executes an 11.4 MB heavily obfuscated JavaScript payload upon import lightning.” The malicious routine, published to the Python Package Index as a py3‑none‑any wheel, triggers on import and silently spawns a background process.
That background process downloads the Bun JavaScript runtime (identified as Bun v1.3.13) from GitHub and executes a file named router_runtime.js, described by the maintainer as a heavily obfuscated payload sized at 11.4 MB.
ShaiWorm: what the payload steals
Microsoft Threat Intelligence and Defender label the JavaScript payload “ShaiWorm.” According to the published notices, ShaiWorm is an information‑stealing malware that targets a broad set of credentials and secrets. Defender's detection summary lists targeted items including .env files, API keys and other secrets, GitHub tokens, and data stored in Chrome, Firefox, and Brave browsers.
The payload also interacts with cloud service APIs — explicitly named in the advisory as AWS, Azure, and GCP — to exfiltrate credentials, and it supports arbitrary system command execution once present on a host.
Microsoft Defender detected and contained activity
Microsoft Threat Intelligence reported over the weekend that Defender detected and prevented the malicious routine on customer environments and notified the package maintainer. Microsoft’s telemetry, the company said, showed the malicious activity impacted “a small number of devices” and that it appears to have been “contained to a narrow set of environments.”
Those detections were the mechanism by which the maintainers and Microsoft learned of the compromise and prompted the public advisory and remediation steps.
User impact and immediate remediation
Lightning AI warns that users who executed import lightning with version 2.6.3 “may have had their secrets, keys, and tokens compromised.” The maintainer strongly recommends the immediate rotation of all secrets in any environment where that package was imported.
As a short‑term containment step, PyTorch Lightning on PyPI has been reverted to version 2.6.1; Lightning AI states that 2.6.1 is safe to use. The advisory further notes that all recent releases will be audited for similar payloads and that users will be notified through all available channels.
Investigation into the supply‑chain breach and unanswered technical route
Lightning AI has said it is investigating the breach of its build/release pipeline. The maintainers have not yet disclosed exactly how the supply‑chain compromise occurred, and the advisory states that the publishers are auditing recent releases to look for additional malicious code.
The advisory and Microsoft telemetry together leave one concrete operational question pending: how the malicious code was introduced into the package build or release process. That unknown remains the central next step for the maintainers’ investigation and for anyone assessing whether other releases were affected.
The immediate facts are clear: a popular deep‑learning framework shipped a release that executed hidden code on import, the code downloaded and ran a large obfuscated JavaScript payload using Bun, that payload is now tracked as ShaiWorm and targets a wide range of secrets and cloud credentials, and Microsoft Defender reported limited but successful detection and containment. The broader, lasting risk hinges on the channel through which the package’s build or release pipeline was breached — an answer Lightning AI and its publishers have pledged to find and disclose.
Source: BleepingComputer — Backdoored PyTorch Lightning package drops credential stealer
