PyTorch Lightning Security Breach: Lessons Learned

Versions 2.6.2 and 2.6.3 of the lightning package — which receives millions of downloads per month — contain injected code in the library's __init__.py file that spawns a background thread on import. The thread runs a hidden start.py script that downloads the Bun JavaScript runtime and executes an obfuscated 11 MB JavaScript payload called router_runtime.js.

The payload harvests SSH keys, shell histories, .env files, cloud credentials for AWS, GCP, and Azure, GitHub and npm tokens, Kubernetes configs, cryptocurrency wallets, VPN credentials, and Discord and Slack session data. Stolen material is RSA-2048 encrypted and exfiltrated to attacker-controlled GitHub repositories.

Socket and Aikido Security have tied the attack to what they call the "Mini Shai-Hulud" campaign, which previously compromised the Bitwarden CLI npm package and SAP npm packages in recent weeks. Socket's analysis found that a compromised Lightning-AI GitHub account, pl-ghost, attempted lateral expansion into other Lightning-AI repositories by creating and rapidly deleting short-lived branches — a pattern consistent with the worm's credential-verification behavior.

A threat actor claiming affiliation with "Team PCP" posted a Tor-hosted message in a GitHub disclosure thread during the incident, though Socket has not confirmed the attribution. The last clean version of the package, 2.6.1, was published on January 30, 2026.

Security teams recommend developers immediately remove versions 2.6.2 and 2.6.3, downgrade to version 2.6.1, rotate all credentials that may have been exposed — including GitHub tokens, npm tokens, and cloud secrets — and audit repositories for unauthorized commits from claude@users.noreply.github.com, as the worm impersonates Anthropic's Claude Code tool when poisoning repositories.