Malicious PyTorch Lightning Package Steals Credentials and Worms npm Packages
The PyPI package lightning — a deep learning framework used for image classification, LLM fine-tuning, diffusion models, and time-series forecasting — was compromised in a supply chain attack affecting versions 2.6.2 and 2.6.3, published on April 30, 2026. Simply running pip install lightning triggers the malicious code on import.
What the Malware Does
The malicious versions contain a hidden _runtime directory with obfuscated JavaScript payload that executes automatically upon module import. It steals:
- Credentials and authentication tokens
- Environment variables
- Cloud secrets
It also attempts to poison GitHub repositories by creating public repos named EveryBoiWeBuildIsaWormBoi. The attack uses Dune-themed naming conventions, consistent with the previous Mini Shai-Hulud campaign.
Cross-Ecosystem Spread: PyPI to npm
While the entry point is PyPI, the malware payload is JavaScript. Once running, if it finds npm publish credentials, it injects a setup.mjs dropper and router_runtime.js into every package that token can publish to. It sets scripts.preinstall to execute the dropper, bumps the patch version, and republishes. Any downstream developer who installs those packages runs the full malware, leading to token theft and further worm propagation.
Indicators of Compromise
Audit your projects for:
- Unexpected
.claude/or.vscode/directories with strange contents - New public repositories named
EveryBoiWeBuildIsaWormBoi - Unexpected npm packages published under your account
Remediation
If you have lightning version 2.6.2 or 2.6.3 in any project:
- Remove the package and downgrade to a safe version
- Rotate all GitHub tokens, cloud credentials, and API keys that were present in the affected environment
- Scan your repositories for the injected files listed above
- Check your npm tokens and audit published packages for unauthorized modifications
Semgrep has published an advisory and rule; trigger a new scan on your projects and check the advisories page at semgrep.dev/orgs/-/advisories to see if any projects have installed these versions.
📖 Read the full source: HN AI Agents
👀 See Also
AI Chatbots Leaking Real Phone Numbers: The PII Exposure Problem
Chatbots like Gemini, ChatGPT, and Claude are exposing real personal phone numbers due to PII in training data. DeleteMe reports a 400% increase in AI-related privacy requests in seven months.
OpenClaw security patches fix QR code credential exposure and plugin auto-load vulnerabilities
OpenClaw released two security patches addressing critical vulnerabilities: QR codes embedded permanent gateway credentials without expiry, and plugins auto-loaded from cloned repos without user confirmation. Version 2026.3.12 fixes both issues.
AI Agent Guardrails Decay Over Time Without Active Maintenance
AI agent guardrails degrade over time as system prompts accumulate updates, model versions change, and new tools are added, often resulting in contradictory or ignored safety rules that require regular review and testing.
RunLobster Hosting Warning: Bot Spam and Unauthorized Charges Reported
A Reddit user reports RunLobster (OpenClaw Hosting) bots spamming tech subreddits and hitting their card with three unauthorized charges immediately after registration, with no response from support.