Yesterday, versions 2.6.2 and 2.6.3 of the lightning PyPI package — the Python library used by hundreds of thousands of ML practitioners to organize PyTorch training code — were found to contain credential-stealing malware. The packages were quarantined after Socket’s research team flagged them 18 minutes post-upload. If you had automatic updates configured or ran pip install lightning on April 30, you should treat your environment as compromised and rotate everything.
The technical structure of the attack is worth examining because it represents a meaningful escalation in sophistication over typical PyPI malware. The payload doesn’t live in obvious Python files. Instead, the attacker injected code into __init__.py — which runs automatically when you import lightning — that launches a background daemon thread. That thread fetches and installs Bun, a Node.js-compatible JavaScript runtime, then executes router_runtime.js, an 11 MB obfuscated payload. The entire chain is cross-platform: the downloader detects the victim’s OS and architecture before proceeding.
Bundling a JavaScript runtime inside a Python ML package is unusual. It bypasses the assumption that a Python supply chain attack stays in Python, and it makes static analysis significantly harder — most PyPI scanners are tuned to look for suspicious Python patterns, not embedded JS runtimes that download from the network.
The data exfiltration scope is broad: SSH keys, shell histories, .env files, Git credentials, AWS/GCP/Azure configs, Kubernetes configs, Docker credentials, npm tokens, cryptocurrency wallet files (Bitcoin, Litecoin, Monero, Exodus, Ledger), VPN credentials, and Discord/Slack session tokens. Stolen data is RSA-2048 encrypted before exfiltration to attacker-controlled GitHub repositories, making network-level detection harder.
This is attributed to the same threat actor behind the “Mini Shai-Hulud” campaign — the name comes from a Dune-themed malicious commit signature that keeps appearing. The same campaign previously compromised LiteLLM (March 24), Telnyx (March 27), and Xinference in rapid succession. The pattern is deliberate: the targets are all tools that sit in AI development and deployment pipelines. Someone is specifically after the credentials of people building and running AI systems.
That targeting isn’t incidental. AI training environments are credential-rich in ways that generic developer machines often aren’t. A single ML workstation might have AWS credentials with access to expensive GPU instances, Hugging Face tokens that can push model weights to public repos, WandB API keys, GitHub tokens with write access to repositories containing training code, and cloud storage buckets full of training data. It’s a target profile that’s disproportionately valuable relative to how carefully those credentials are guarded — many AI practitioners treat their ~/.aws/credentials file the way they treat their IDE settings.
The detection timeline here was unusually fast. Socket’s automated analysis flagged the malicious versions within 18 minutes of upload. That’s the upside of ecosystem-level monitoring. The downside is that 18 minutes is still enough time for CI pipelines that build on push, especially those that do a fresh pip install against latest, to pull the package. Any system that ran between 00:00 and 00:18 UTC on April 30 — or at any point before the quarantine — may have been affected.
The OX Security writeup puts the total affected download count at 8.3 million, though that reflects the package’s historical download volume, not installs of the specific malicious versions. Still, lightning is widely used enough that the exposure window mattered.
The practical takeaways are familiar but worth repeating: pin your dependencies with hash verification, use virtual environments rather than system-wide installs, and treat any environment that ran an unpinned install as potentially compromised. For AI teams specifically, it’s worth auditing which credentials live on training machines and whether they have broader permissions than they need. A credential scoped to a single S3 bucket is worth less to an attacker than one with full IAM.
The Dune-themed naming is a curiosity. The attacker has been consistent about it across multiple campaigns — commit messages, payload names, GitHub repository descriptions all follow the same theme. Whether this is a calling card, misdirection, or just aesthetic preference is unclear, but the consistency suggests a single organized group rather than opportunistic copycat attacks.