Hacker News
Shai-Hulud Malware Compromises PyTorch Lightning — Supply Chain Attack Steals Credentials from AI Training Library
Versions 2.6.2 and 2.6.3 of the PyPI 'lightning' package (PyTorch Lightning) were compromised with Dune-themed malware that auto-executes on import, downloading an 11 MB obfuscated JavaScript payload via the Bun runtime. The attack harvests SSH keys, cloud credentials, GitHub/npm tokens, shell histories, and cryptocurrency wallets, exfiltrating to attacker-controlled repos. With hundreds of thousands of daily downloads, this is among the highest-impact PyPI compromises of the year, discovered by Semgrep and confirmed by Aikido, Socket, and The Hacker News.
↳ Follow the thread