PyTorch Lightning PyPI compromise (Mini Shai-Hulud / TeamPCP)
Real-world incident30 Apr 2026On 30 Apr 2026 two malicious versions of the PyTorch Lightning training framework โ reportedly published as `lightning==2.6.2` and `lightning==2.6.3` on PyPI โ were uploaded as part of a cross-ecosystem 'Mini Shai-Hulud' campaign that also reportedly hit the npm package `intercom-client@7.0.4`. According to analyses by Socket, Semgrep and Kodem, the compromised package executed automatically on import (no user action beyond installation): a hidden `_runtime` directory and Python loader (illustratively `start.py`) silently fetched the Bun JavaScript runtime from GitHub releases and ran a large (~11-15 MB, per source) obfuscated payload (illustratively `router_runtime.js`). The payload reportedly harvested GitHub and npm tokens, AWS/Azure/GCP cloud credentials, Kubernetes secrets, Vault tokens, CI/CD environment variables and shell/SSH material, then exfiltrated them via multiple channels including attacker C2, the GitHub commit-search API, and newly created public repositories (some reportedly carrying the description 'A Mini Shai-Hulud has Appeared'). Like the Shai-Hulud worm it imitates, the malware reportedly self-propagated by using stolen tokens to push malicious commits to victim repositories and, on npm, by injecting postinstall hooks into local package.json files. The exposure window was short: Socket's automated scanner reportedly flagged the packages roughly 18 minutes after publication, and the Lightning maintainers yanked them within about 42 minutes total, with `lightning==2.6.1` cited as the last clean release. Researchers link the campaign to the actor tracked as TeamPCP based on shared tradecraft and Dune-themed naming, though several note attribution remains inconclusive. The case is a concrete AI/ML supply-chain compromise: poisoning a core model-training dependency to turn ordinary developer and CI/CD installs into a credential-harvesting, self-spreading foothold. (Version numbers, payload sizes, file names and timings are as reported and may vary slightly between sources; payload names are illustrative, not operational.)
Risks it illustrates
Sources
- PyTorch Lightning PyPI Package Compromised in Supply Chain Attack โ Socket โ
- Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library โ Semgrep โ
- Mini Shai-Hulud Strikes PyTorch Lightning and intercom-client: Inside the Cross-Ecosystem Supply Chain Attack โ Kodem Security โ
- How the PyTorch Lightning Community Discovered a Supply Chain Attack and Fixed it in 42 Minutes โ Lightning.ai (maintainer disclosure) โ
- PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials โ The Hacker News โ
- PyTorch Lightning Supply Chain Attack Exposes Developer Credentials โ Aviatrix Threat Research Center โ
Practise the risk class โ related scenarios
Interactive simulations of the risk class this case illustrates (not a re-enactment of this specific event).
A support email hides instructions โ and the assistant obeys them
A speed optimisation becomes a cross-tenant listening device
Compromise the pipeline that builds agents, and every new worker is born malicious
Two doors to the same secret: reconstruct the model through its API, or just walk off with the weight file
The forensic record is itself the attack surface โ an agent's log is poisoned, then quietly rewritten
A cost-saving open-weights swap quietly ships a model with its safety surgically removed
A screenshot that's harmless at full size becomes an order once the system shrinks it
A capable third-party model that behaves perfectly โ until it sees the trigger
An attacker captures the agent's bearer token โ and inherits its authority
A trusted MCP email tool quietly BCCs every message to an attacker
A forged peer registers on the agent directory โ and the planner enlists it
An inbox summary quietly ships a secret to an attacker's server