pytorch-lightning 2.6.3 Was Backdoored. 11 Million Monthly Downloads. No CVE.

RobertUpdated May 6, 20264 min read
Dark background. Large white monospace text centre frame: '11 million downloads. No CVE. Still a backdoor.' Below it one line of teal monospace: pytorch-lightning==2.6.3. Bottom left: > attestd in teal. Nothing else. Flat design, no photographs.

pytorch-lightning 2.6.3 Was Backdoored. 11 Million Monthly Downloads. No CVE.#

On April 30 2026, a malicious version of pytorch-lightning was published to PyPI. The package has 11 million monthly downloads. It is the deep learning framework used for pretraining and fine-tuning AI models across research and production environments.

The compromised version is 2.6.3. PyPI has since reverted to 2.6.1. If you ran import lightning with 2.6.3 installed, rotate everything.

No CVE has been filed.

How the attack worked#

The mechanism here is different from the .pth execution technique used in the LiteLLM and elementary-data attacks earlier this year. This one is more sophisticated.

Version 2.6.3 contained a hidden execution chain that triggers automatically on import. It silently spawns a background process that downloads Bun, a JavaScript runtime, from GitHub at version 1.3.13. It then executes an 11.4 MB heavily obfuscated JavaScript payload called router_runtime.js.

The payload, which Microsoft Threat Intelligence named ShaiWorm and detected via Defender, collects .env files, API keys, secrets, GitHub tokens, and credentials stored in Chrome, Firefox, and Brave. It then interacts directly with AWS, Azure, and GCP APIs to extract cloud credentials and supports arbitrary system command execution on the host.

Lightning AI confirmed the attack in a security advisory on GitHub issue 21689. The investigation into how the build or release pipeline was breached is ongoing.

Microsoft noted the malicious activity affected a small number of devices and appeared contained to a narrow set of environments, likely because Defender caught it on customer systems before broader propagation.

The pattern is evolving#

LiteLLM used litellm.pth. elementary-data used elementary.pth. Both relied on Python's path configuration mechanism to execute code at interpreter startup.

ShaiWorm does not use .pth. It embeds the execution chain inside the package itself, triggering on import and delegating to a downloaded JavaScript runtime for the payload. The obfuscation is heavier. The payload is larger. The mechanism is harder to detect through static analysis of the package contents alone.

Two things remain consistent across all three attacks: the payload targets cloud credentials and developer environment secrets, and no CVE is filed during the attack window. The supply chain signal is the only structured detector for this category of compromise.

What Attestd returns#

pytorch-lightning is now monitored by Attestd's supply chain integrity layer.

curl "https://api.attestd.io/v1/check?product=pytorch-lightning&version=2.6.3" \
  -H "Authorization: Bearer YOUR_API_KEY"

{
  "product": "pytorch-lightning",
  "version": "2.6.3",
  "supported": true,
  "risk_state": "none",
  "confidence": 1.0,
  "cve_ids": [],
  "last_updated": "2026-05-06T00:00:31.051711Z",
  "supply_chain": {
    "compromised": true,
    "sources": ["registry"],
    "malware_type": "backdoor",
    "description": "ShaiWorm payload. Downloads Bun JS runtime on import and executes obfuscated credential stealer targeting cloud credentials, browser data, and environment secrets.",
    "advisory_url": "https://github.com/Lightning-AI/pytorch-lightning/issues/21689",
    "compromised_at": "2026-04-30T00:00:00Z",
    "removed_at": null
  }
}

Three things worth noting about this response.

risk_state: "none" alongside supply_chain.compromised: true. No CVE exists for this compromise. A CVE-only tool returns clean for pytorch-lightning==2.6.3. The supply chain signal is the only detector that catches it.

sources: ["registry"] means this is a human-verified registry entry. The OSV MAL- advisory pipeline has not yet produced an independent advisory for this incident. When it does, sources will update to include osv.

removed_at: null on the compromised response does not mean the package is still on PyPI. It means the registry entry does not have a confirmed removal timestamp recorded. PyPI has reverted to 2.6.1 as the current release. Do not use 2.6.3.

The clean replacement:

curl "https://api.attestd.io/v1/check?product=pytorch-lightning&version=2.6.1" \
  -H "Authorization: Bearer YOUR_API_KEY"

{
  "product": "pytorch-lightning",
  "version": "2.6.1",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": []
  }
}

What to do if you were affected#

If pytorch-lightning==2.6.3 was installed in any environment and import lightning was executed during the exposure window:

Rotate immediately: AWS access keys and secrets, GCP credentials, Azure credentials, GitHub tokens, all API keys in .env files, and any secrets accessible from browser profiles on the affected machine.

Audit for unexpected outbound connections during the exposure window. The payload interacts with cloud APIs directly, so look for unexpected API calls from hosts that ran the malicious version.

Pin to pytorch-lightning==2.6.1 and verify before upgrading to any newer release until Lightning AI completes its pipeline audit.

The supply chain monitoring context#

This is the fourth significant PyPI supply chain attack Attestd has covered since March 2026. LiteLLM on March 24. elementary-data on April 24. PyTorch Lightning on April 30. Each one used a different execution mechanism. Each one targeted cloud credentials and developer secrets. None of them had a CVE during the active attack window.

The monitored PyPI package list now includes pytorch-lightning alongside the full AI and data science stack. The full list is at attestd.io/docs/supply-chain.

Get an API key at api.attestd.io/portal/login. Free tier, 1,000 calls a month, no credit card required.