PyTorch Lightning Compromised: Shai-Hulud Worm Reaches PyPI Table of Contents The Shai-Hulud threat campaign has crossed from npm into PyPI. PyPI yanked lightning versions 2.6.2 and 2.6.3 of the PyTorch Lightning deep-learning framework after both embedded a credential-stealing worm. Every Python process that ran import lightning spawned the payload. The campaign is attributed to TeamPCP (also identified as LAPSUS$). TL;DR Both versions carry a two-stage payload: a Python dropper injected into lightning/init.py that bootstraps the Bun JavaScript runtime, followed by an 11MB obfuscated JavaScript worm (router_runtime.js ). The JS payload is byte-for-byte identical to execution.js from the SAP CAP npm compromise published one day earlier: same credential collectors, same GitHub worm, same npm republisher, same C2 encryption scheme. Version 2.6.3 stripped all debug output from the Python dropper and ran silent. PyPI marks the first confirmed Shai-Hulud deployment outside npm. One key technical difference from the npm campaigns: the init.py trigger fires on import , not pip install , so sandboxed install environments miss it. Impact:
- Credential theft on every
import lightning
: GitHub OAuth/PAT tokens (ghp_
,gho_
), npm automation tokens (npm_
), GitHub Actions service tokens (ghs_
), and all process environment variables including cloud credentials - AWS account fingerprinting via sts:GetCallerIdentity and Secrets Manager enumeration - Persistent foothold committed into up to 50 branches per writable GitHub repository via commits authored as claude , adding.vscode/tasks.json ,.claude/settings.json ,.claude/router_runtime.js , and.claude/setup.mjs ; GitHub tokens are validated againstapi.github.com/user before exploitation - npm package re-publication with the worm injected, bridging the compromise from PyPI into the npm ecosystem
- Exfiltration to an encrypted C2 on port 443 Indicators of Compromise Malicious Package Artifacts The router_runtime.js hash matches the execution.js
payload in @cap-js/[email protected]
, @cap-js/[email protected]
, @cap-js/[email protected]
, and [email protected]
. File Presence Indicators Any of these paths inside an installed lightning package indicate compromise: lightning/_runtime/start.py lightning/_runtime/router_runtime.js lightning/_runtime/.bun/bun (Bun binary written at runtime) Repository Poisoning Indicators
- Unexpected commits adding .vscode/tasks.json ,.claude/settings.json ,.claude/setup.mjs , or.claude/router_runtime.js
- Git commit author name claude with ausers.noreply.github.com email on commits not made by your team - VS Code task labelled Environment Setup withrunOptions.runOn: folderOpen Analysis Execution Trigger: import-time, not install-time The attacker modified lightning/init.py to spawn the payload as a daemon thread before any legitimate framework classes load: The thread fires for every Python process that imports the library: training scripts, Jupyter notebooks, CI/CD jobs, from lightning import Trainer . The daemon flag prevents it from blocking the importer or appearing in stack traces. The critical difference from the SAP npm campaign: preinstall hooks in npm run at npm install time inside the package manager’s process. This trigger fires at application runtime, inside the user’s own process, with access to the full runtime environment including any secrets the application loaded. A sandboxed or network-restricted install step offers no protection. Stage 1: Bun Dropper start.py checks for a local or system Bun installation, downloads Bun 1.3.13 from the official GitHub release URL if absent, and executes router_runtime.js : 2.6.2 vs 2.6.3. Version 2.6.2 printed progress to stdout: [*] Bun not found. Down and installing locally...
, [*] Extracting binary...
, [*] Executing: router_runtime.js
. Version 2.6.3 removed every print statement and added stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL to the Bun subprocess call. The router_runtime.js payload is unchanged between versions. Stage 2: The Shai-Hulud Payload router_runtime.js is the same 11MB obfuscated bundle documented in the SAP CAP npm campaign analysis. That analysis covers credential collectors, GitHub worm, npm republisher, and C2 exfiltration in full. Two details survive obfuscation in plaintext at the tail of the file: Geofencing. The payload calls tu0() before doing anything else. The function checks Intl.DateTimeFormat().resolvedOptions().timeZone and the LC_ALL , LC_MESSAGES , LANGUAGE , and LANG environment variables for Russian locale markers. If any match, the process exits immediately. All known Shai-Hulud samples include this check. Repository file map. The k4f object listing files committed to victim repositories is readable despite obfuscation: The worm authors commits as { name: 'claude', email: /* obfuscated */ } , impersonating Claude Code automated commits. The worm targets up to 50 branches per repository (the branch filter AH0 is an empty array) and runs up to 2 parallel commit operations. Conclusion The Shai-Hulud campaign reached the Python ML ecosystem by reusing the same JS payload with a new delivery mechanism. The import-time trigger bypasses sandboxed installs and install hook auditing: the payload runs in any environment where Python imports the library. If you installed either version, rotate all credentials accessible from that machine: GitHub PATs, GitHub Actions secrets, npm tokens, AWS keys, and any cloud credentials in environment variables or dotfiles. Audit recent commits to your repositories for the file paths in the IoC section. References
- pypi
- python
- oss
- malware
- supply-chain
- pytorch
- github-actions Author SafeDep Team safedep.io The Latest from SafeDep blogs Follow for the latest updates and insights on open source security & engineering Malicious durabletask on PyPI: Multi-Cloud Credential Stealer with Worm Capabilities Three compromised versions of the Microsoft durabletask Python SDK (1.4.1, 1.4.2, 1.4.3) were published to PyPI, each down a stage-2 payload that steals credentials from AWS, Azure, GCP,... Compromised node-ipc on npm: Credential Stealer via DNS Exfiltration Analysis of compromised node-ipc versions 9.1.6, 9.2.3, and 12.0.1 on npm: a maintainer account takeover injects an 80KB obfuscated credential stealer that targets 100+ sensitive files (SSH keys,... Mini Shai-Hulud Strikes Again: 317 npm Packages Compromised A compromised npm maintainer account published 637 malicious versions across 317 packages including size-sensor, echarts-for-react, timeago.js, and hundreds of @antv scoped packages, affecting 15M+... Malicious npm Packages Backdoor Claude Code Sessions Five typosquatting npm packages ship a hidden ELF binary that fires on install and re-runs via Claude Code's SessionStart hook on every developer session. C2 is 207.90.194.2:443. Ship Code. Not Malware. Start free with open source tools on your machine. Scale to a unified platform for your organization.