pytorch-lightning
pytorch-lightning is identified in the SafeDep analysis "PyTorch Lightning Compromised: Shai-Hulud Worm Reaches PyPI". PyPI yanked PyTorch Lightning versions 2.6.2 and 2.6.3 after both embedded a two-stage credential-stealing payload. Any import of the library spawns an 11MB obfuscated JavaScript worm identical to the Shai-Hulud payload seen in the April 29 SAP npm campaign.
discovered 2026-04-30
Threat types
credential_stealerdata_exfiltrationworm
Malicious versions
- 2.5.3
Campaigns
Indicators
- sha2563071422c3294e7b61cb490c57c48c8dea569bacf12e57a078293b6547d7586d3indicates
- sha25656070a9d8de0c0ffb1ec5c309953cf4679432df5a78df9aeb020fbb73d2be9fbindicates
- sha2565f5852b5f604369945118937b058e49064612ac69826e0adadca39a357dfb5b1indicates
- sha256d2815d425ae08cc627f1db69009442165f8bbc64b7e9157e2ff9d7aab02094d4indicates
- sha2568046a11187c135da6959862ff3846e99ad15462d2ec8a2f77a30ad53ebd5dcf2indicates
- sha2562d4e21d2e78d0868ce7894487e67c67f929d8d81d78c5b07a3ad225b13eae890indicates
Techniques
- ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttpT1059.006 Command and Scripting Interpreter: Pythonuses
- ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1528 Steal Application Access Tokenuses
- ttpT1105 Ingress Tool Transferuses
- ttpT1071.001 Application Layer Protocol: Web Protocolsuses
- ttpT1021 Remote Servicesuses
- ttpT1098 Account Manipulationuses
- ttpT1027 Obfuscated Files or Informationuses
