๐Ÿ”AI RiskAtlas
โ† Real-world cases

PyTorch Lightning PyPI compromise (Mini Shai-Hulud / TeamPCP)

Real-world incident30 Apr 2026

On 30 Apr 2026 two malicious versions of the PyTorch Lightning training framework โ€” reportedly published as `lightning==2.6.2` and `lightning==2.6.3` on PyPI โ€” were uploaded as part of a cross-ecosystem 'Mini Shai-Hulud' campaign that also reportedly hit the npm package `intercom-client@7.0.4`. According to analyses by Socket, Semgrep and Kodem, the compromised package executed automatically on import (no user action beyond installation): a hidden `_runtime` directory and Python loader (illustratively `start.py`) silently fetched the Bun JavaScript runtime from GitHub releases and ran a large (~11-15 MB, per source) obfuscated payload (illustratively `router_runtime.js`). The payload reportedly harvested GitHub and npm tokens, AWS/Azure/GCP cloud credentials, Kubernetes secrets, Vault tokens, CI/CD environment variables and shell/SSH material, then exfiltrated them via multiple channels including attacker C2, the GitHub commit-search API, and newly created public repositories (some reportedly carrying the description 'A Mini Shai-Hulud has Appeared'). Like the Shai-Hulud worm it imitates, the malware reportedly self-propagated by using stolen tokens to push malicious commits to victim repositories and, on npm, by injecting postinstall hooks into local package.json files. The exposure window was short: Socket's automated scanner reportedly flagged the packages roughly 18 minutes after publication, and the Lightning maintainers yanked them within about 42 minutes total, with `lightning==2.6.1` cited as the last clean release. Researchers link the campaign to the actor tracked as TeamPCP based on shared tradecraft and Dune-themed naming, though several note attribution remains inconclusive. The case is a concrete AI/ML supply-chain compromise: poisoning a core model-training dependency to turn ordinary developer and CI/CD installs into a credential-harvesting, self-spreading foothold. (Version numbers, payload sizes, file names and timings are as reported and may vary slightly between sources; payload names are illustrative, not operational.)

Practise the risk class โ€” related scenarios

Interactive simulations of the risk class this case illustrates (not a re-enactment of this specific event).

More cases on Supply-Chain Compromise

PoisonGPT (Mithril Security)postmark-mcp backdoorMalicious models on Hugging Face (pickle deserialization RCE)A small number of samples can poison LLMs of any size (~250-document backdoor)Model Namespace Reuse (Hugging Face name-trust hijack)Slopsquatting โ€” package hallucinations by code-generating LLMsMCP registry / marketplace poisoning (OX Security)ClawHavoc โ€” mass poisoning of OpenClaw's ClawHub agent-skill marketplaceMalice in Agentland โ€” backdooring agents through the supply chain (Boisvert et al.)Heretic โ€” automated LLM abliteration toolSalesloft Drift OAuth supply-chain breach (UNC6395) โ€” mass Salesforce data theft via an AI chat integrationAmazon Q Developer 'wiper' prompt shipped via poisoned pull request (CVE-2025-8217)NVIDIA Triton Inference Server unauthenticated RCE chain (CVE-2025-23319 / -23320 / -23334)SesameOp: backdoor abuses the OpenAI Assistants API as covert command-and-controlGoogle Big Sleep AI agent surfaces an imminently-exploited SQLite flaw (CVE-2025-6965)MCPTox: tool-poisoning benchmark over real-world MCP serversOperation Bizarre Bazaar (first attributed LLMjacking campaign with a resale marketplace)TeamPCP poisons the LiteLLM AI gateway on PyPI to harvest LLM API keysCVE-2026-21445 โ€” Langflow missing authentication on critical API endpoints, exploited in the wildMalicious JetBrains Marketplace plugins steal AI API keyscodexui-android โ€” malicious npm package steals OpenAI Codex auth tokensLeRobot async-inference gRPC pickle RCE (CVE-2026-25874)Flowise AI agent builder CustomMCP RCE (CVE-2025-59528)Project Glasswing โ€” Claude 'Mythos' autonomously finds 10,000+ software vulnerabilities

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning โ€” not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading โ†’ยทBuilt by Shi Yuan โ†—