PyTorch Lightning Supply Chain Attack — Threat Brief:

Sources: The Hacker News · Socket.dev · Sonatype · Semgrep · Cyber Kendra · Lightning.ai · CyberSecurityNews · Let’s Data Science  |  Threat Actor: TeamPCP (Mini Shai-Hulud campaign)  |  CVE/Tracking: sonatype-2026-002817  |  Severity: Critical

Executive Summary

On April 30, 2026, threat actors successfully compromised PyTorch Lightning — one of the most widely used open-source Python frameworks for AI and machine learning — by publishing two malicious versions (2.6.2 and 2.6.3) to the Python Package Index (PyPI). The attack is part of a broader, ongoing campaign known as Mini Shai-Hulud, attributed to a threat group called TeamPCP, which has previously compromised LiteLLM, Telnyx, Checkmarx KICS Docker images, Bitwarden CLI, and SAP-related npm packages.

The malicious packages contained a credential-harvesting payload that executed automatically upon import — requiring no additional user interaction beyond a standard pip install. According to Socket’s AI scanner, the malicious versions were flagged just 18 minutes after publication. PyPI administrators quarantined the package within 42 minutes. The last safe version is 2.6.1.

Field	Detail
Package	lightning (PyTorch Lightning) on PyPI
Malicious Versions	2.6.2 and 2.6.3
Safe Version	2.6.1 (released January 30, 2026)
Published	April 30, 2026
Tracking ID	sonatype-2026-002817
Threat Actor	TeamPCP (Mini Shai-Hulud campaign)
Attack Vector	Compromised PyPI publishing credentials
Payload Size	11.4 MB obfuscated JavaScript (router_runtime.js)
Time to Detection	18 minutes (Socket AI scanner)
Time to Quarantine	42 minutes (PyPI admins)
GitHub Compromised	Yes — pl-ghost maintainer account

Attack Timeline

The attack unfolded with surgical precision over a narrow window on April 30, 2026:

• ~12:20Z — Threat actors publish lightning==2.6.2 to PyPI using compromised project credentials. The build is uploaded directly to PyPI, bypassing GitHub source control entirely.
• ~12:22Z — lightning==2.6.3 published minutes later. Despite no functional malware difference, version 2.6.3 modifies metadata and loader behavior in an attempt to evade static detection signatures.
• ~12:38Z — Socket’s AI scanner flags both versions as malicious, 18 minutes after initial publication.
• ~12:40–13:44Z — The compromised pl-ghost GitHub account pushes and deletes four short-lived branches across Lightning-AI repositories (litAI, utilities, torchmetrics), each existing for under one second — a failed attempt at lateral expansion.
• ~13:00Z — Community member files GitHub issue #21689 titled “Possible supply chain attack on version 2.6.3.” The pl-ghost account closes the issue within one minute and posts a “SILENCE DEVELOPER” meme in response.
• ~13:02Z — Socket files a follow-up warning issue. Also closed immediately by pl-ghost.
• ~13:02Z — An attacker posts a Tor onion link in the GitHub thread pointing to a TeamPCP-branded site with a PGP-signed message claiming LAPSUS$ involvement.
• ~13:02Z (approx.) — PyPI administrators quarantine the Lightning project. Both malicious versions are deleted. Total exposure window: 42 minutes.

Full Attack Chain: How the Malware Works

The attack is technically sophisticated, multi-stage, and self-propagating. Here is the complete execution flow as documented by Socket, Semgrep, Sonatype, and Aikido Security:

Stage 1 — Initial Compromise of PyPI Credentials

The attackers did not compromise the Lightning GitHub source repository directly. Instead, they obtained a project-scoped PyPI publishing token for the lightning package — likely through phishing, credential stuffing, or a prior infostealer infection on a maintainer machine. This allowed them to upload tampered builds directly to PyPI while the legitimate source code on GitHub remained untouched. This distinction is critical: the GitHub repository was clean, yet every user running pip install lightning received the attacker’s build.

Stage 2 — Malicious Package Structure

The malicious versions introduced the following changes to the legitimate package:

• A hidden _runtime/ directory containing a downloader and an obfuscated JavaScript payload
• A modified __init__.py that launches a background thread on import via a start.py helper script
• An 11.4 MB hex-encoded, heavily obfuscated JavaScript file: router_runtime.js

Stage 3 — Automatic Execution on Import

When a developer runs import lightning — even in a CI/CD pipeline with no human present — the malicious __init__.py spawns a background thread that silently runs start.py. This script downloads the Bun JavaScript runtime (v1.3.13) and executes router_runtime.js. There is no visible output, no error, no warning. The developer sees nothing unusual.

Stage 4 — Credential Harvesting

The payload targets an extraordinarily wide range of secrets across the developer environment:

• GitHub tokens — scans 80+ credential file paths for ghp_, gho_, and ghs_ prefixed tokens (up to 5 MB per file)
• npm tokens — harvested from .npmrc and environment variables
• Cloud credentials — AWS, GCP, and Azure keys from environment variables, config files, and credential stores
• SSH keys — private key files across the filesystem
• Shell history — .bash_history, .zsh_history, etc., which frequently contain secrets in plaintext
• Cryptocurrency wallets — wallet files and seed phrases
• All environment variables — full process.env dump

Stage 5 — Data Exfiltration

Stolen credentials are exfiltrated to attacker-controlled public GitHub repositories with randomly chosen Dune-universe names and the description “A Mini Shai-Hulud has Appeared” — making them directly searchable on GitHub. Data is committed as results/results-<timestamp>-<n>.json (base64-encoded), with files over 30 MB split into numbered chunks. Commit messages use chore: update dependencies as cover. If the malware obtains a valid ghs_ GitHub server token, it also pushes stolen data directly to all branches of the victim’s own repositories.

Stage 6 — Worm Propagation via npm

If the malware finds valid npm publishing credentials, it pivots to self-propagation: it injects a setup.mjs dropper and router_runtime.js into every npm package the token can publish to, adds a scripts.preinstall hook to package.json, bumps the patch version number, and republishes the infected tarballs. Any downstream user who installs those poisoned npm packages then receives the malware — a worm-like cascade across package ecosystems.

Stage 7 — IDE Persistence Hooks

In a novel escalation, the malware also plants persistence hooks inside infected repositories targeting two of the most common developer tools:

• Claude Code: Writes a SessionStart hook with matcher: "*" into .claude/settings.json, pointing to node .vscode/setup.mjs. This fires every time a developer opens Claude Code in the infected repository — no user action beyond launching the session is required.
• VS Code: Writes a parallel runOn: folderOpen task to .vscode/tasks.json that executes node .claude/setup.mjs every time the project folder is opened.

Semgrep notes this may be among the first documented instances of malware abusing Claude Code’s hook system in a real-world attack.

Threat Actor Attribution: TeamPCP & Mini Shai-Hulud

The attack has been attributed to TeamPCP, a threat group with an escalating track record of open-source supply chain attacks. The campaign name — Mini Shai-Hulud — is a reference to the giant sandworms from Frank Herbert’s Dune universe, a recurring motif in the group’s malware naming and exfiltration repository descriptions.

Known prior TeamPCP / Mini Shai-Hulud targets include:

• LiteLLM — March 24, 2026
• Telnyx — March 27, 2026
• Xinference — March 2026
• Checkmarx KICS Docker images — April 2026
• Bitwarden CLI (npm) — April 2026
• SAP-related npm packages — April 29, 2026 (the day before this incident)
• intercom-client npm 7.0.4 — April 30, 2026 (same day, parallel attack)

During the incident, the group posted a PGP-signed message on a Tor onion site claiming LAPSUS$ as “a good partner throughout the operation.” Socket has not independently verified this attribution and notes it may reflect true collaboration, opportunistic association, or a deliberate false flag.

Indicators of Compromise (IOCs)

• Installed package versions: lightning==2.6.2 or lightning==2.6.3
• Filesystem paths: Unexpected _runtime/ directory inside the lightning package
• Hidden files: .claude/settings.json with a SessionStart hook pointing to .vscode/setup.mjs
• Hidden files: .vscode/tasks.json with a runOn: folderOpen task pointing to .claude/setup.mjs
• Process activity: Unexpected bun process execution following a Python import
• Network activity: Outbound connections to GitHub API (api.github.com) during or after package import
• GitHub repos: Public repositories with Dune-universe names and description “A Mini Shai-Hulud has Appeared”
• Commit messages: chore: update dependencies from unexpected actors or times
• npm packages: Unexpectedly bumped patch versions with scripts.preinstall hooks in package.json

Immediate Remediation Steps

If you or anyone on your team installed or may have imported lightning==2.6.2 or lightning==2.6.3, treat the affected environment as fully compromised and take the following actions immediately:

1. Downgrade lightning immediately: Run pip install lightning==2.6.1 on all affected machines, CI runners, and Docker images.
2. Rotate ALL credentials: GitHub personal access tokens, GitHub Actions secrets, npm tokens, AWS/GCP/Azure access keys, SSH private keys, and any API keys or secrets present in environment variables or config files on affected machines.
3. Audit GitHub repositories: Search for unexpected commits with message chore: update dependencies, unexpected branches, or new files in .claude/ or .vscode/ directories.
4. Inspect CI/CD logs: Review pipeline logs for any bun process execution or unexpected outbound GitHub API calls during Python import steps.
5. Review published npm packages: If npm tokens were present on affected machines, audit every package that token could publish to for unexpected version bumps or injected preinstall hooks.
6. Scan for IOCs: Use Semgrep’s dependency filter to check if lightning 2.6.2/2.6.3 is present in any of your active projects.
7. Check for exfiltration repos: Search GitHub for public repositories with description “A Mini Shai-Hulud has Appeared” — if your credentials appear in any, file a DMCA takedown and report to GitHub Security.

Broader Implications for Developer Security

This attack is a textbook example of why the open-source software supply chain remains one of the most dangerous and underdefended attack surfaces in modern cybersecurity. Several structural lessons stand out:

• Source code integrity does not equal package integrity. The GitHub repository was never compromised. Every standard code review, branch protection rule, and CI check was bypassed because the attacker operated entirely through the PyPI distribution channel.
• Import = execution. Modern package managers execute code at install or import time. This is a fundamental design risk that defenders must account for in dependency policies.
• Detection speed matters — but 18 minutes is still enough. Socket’s AI scanner caught the malware remarkably fast. Yet PyTorch Lightning receives hundreds of thousands of downloads per day. Even a 42-minute exposure window on a package of this scale likely resulted in widespread credential exposure.
• IDE tooling is now an attack surface. The abuse of Claude Code and VS Code hooks for persistence represents a meaningful evolution in post-compromise tradecraft.

Sources & Further Reading

• The Hacker News — PyTorch Lightning Compromised in PyPI Supply Chain Attack
• Socket.dev — Lightning PyPI Package Compromised in Supply Chain Attack
• Sonatype — Malicious PyTorch Lightning Packages Found on PyPI
• Semgrep — Shai-Hulud Themed Malware in PyTorch Lightning
• Cyber Kendra — Lightning PyPI Package Compromised
• Lightning.ai — Official Incident Post-Mortem

---

DataWater publishes daily cybersecurity threat briefs sourced from the most reliable security research organizations. This post reflects intelligence available as of May 1, 2026. The investigation is ongoing — check back for updates.