A malicious version of the **PyTorch Lightning** package published on the **Python Package Index (PyPI)** delivers a credential-stealing payload targeting browsers, environment files, and cloud services. The developer disclosed the supply-chain attack on April 30, saying that version 2.6.3 of the package included a hidden execution chain that downloads and executes a JavaScript payload. **PyTorch Lightning** is a deep learning framework used for pretraining and fine-tuning AI models. It is a popular package, amassing more than [11 million downloads](http://pypistats.org/packages/pytorch-lightning) last month. The security advisory from the maintainer notes that the malicious execution chain triggers automatically on import and silently spawns a background process.  That process downloads a JavaScript runtime (‘Bun v1.3.13’) from GitHub, and executes a 11.4 MB heavily obfuscated JavaScript payload (‘router_runtime.js’). In a post over the weekend, **Microsoft** Threat Intelligence reported that **Defender** detected and prevented the malicious routine on customer environments, and notified the package maintainer. ### ShaiWorm Information Stealer The payload, which **Defender** detects as “ShaiWorm,” is an information-stealing malware that targets .env files, API keys, secrets, GitHub tokens, and data stored in Chrome, Firefox, and Brave browsers. It also interacts with cloud service APIs (**AWS**, **Azure**, **GCP**) to steal credentials and supports arbitrary system command execution. “lightning==2.6.3 (published on PyPI as py3-none-any wheel) contains a hidden execution chain that silently downloads a JavaScript runtime (Bun) and executes an 11.4 MB heavily obfuscated JavaScript payload upon import lightning,” **Lightning AI** says in the [security advisory](https://github.com/Lightning-AI/pytorch-lightning/issues/21689). “This payload contains credential-stealing functionality targeting cloud providers, browsers, and environment files.” ### Limited Impact, Immediate Action Required According to **Microsoft's** telemetry, the malicious activity affected "a small number of devices" and appears to have been "contained to a narrow set of environments." **Lightning AI** warns that users who ran ‘import lightning’ with version 2.6.3 may have had their secrets, keys, and tokens compromised. In this case, an immediate rotation of all secrets is strongly recommended. Currently, **PyTorch Lightning** has been reverted to 2.6.1 on **PyPi**, which is safe to use. ### Investigation Underway At this time, it is unclear exactly how the supply-chain compromise occurred, and the package's publishers are currently investigating how the build/release pipeline was breached. Additionally, all other recent releases will be audited for similar payloads, and users will be notified via all available channels.