AI Supply Chain Attack: Shai-Hulud Malware Hits PyTorch Lightning Library

Sophisticated Supply Chain Attack Targets AI Development Ecosystem

A critical software supply chain attack has compromised the widely-used PyTorch Lightning AI training library, injecting Dune-themed malware designed to steal credentials and worm its way through development environments. The malicious code was discovered in versions 2.6.2 and 2.6.3 of the 'lightning' PyPI package, published on April 30, 2026.

This incident represents a significant escalation in the ongoing 'Shai-Hulud' campaign. Security researchers from Semgrep, Socket, and Wiz have linked it to the same threat actor, identified as TeamPCP, responsible for previous attacks on npm and SAP packages. The attack vector directly targets the booming AI/ML development community.

How the Attack Unfolds: From PyPI to npm

The attack begins when a developer installs the compromised lightning package via pip. Upon import, a hidden _runtime directory executes. This contains a 14.8 MB obfuscated JavaScript payload designed to run on the Bun runtime.

Once activated, the malware performs a multi-pronged credential harvest. It scans for over 80 credential file paths, dumps environment variables, and specifically targets secrets from GitHub Actions runners, AWS, Azure, and GCP. The targeting is comprehensive, covering local development machines, CI/CD pipelines, and cloud infrastructure.

The malware's propagation mechanism is particularly insidious. If it discovers npm publish credentials, it injects itself into every package that token can access. It adds a dropper script, bumps the patch version, and republishes the poisoned package. This creates a worm-like effect, where downstream developers installing *any* of these compromised npm packages trigger the full malware on their systems.

Advanced Exfiltration and Persistence Tactics

The data exfiltration employs four parallel channels to ensure stolen data escapes, even if some paths are blocked. These include direct HTTPS POSTs to a command-and-control server, the creation of public GitHub repositories with the description "A Mini Shai-Hulud has Appeared," and abusing GitHub's commit search API as a dead-drop.

Perhaps most novel is the malware's abuse of developer tooling for persistence. It plants hooks in two common tools:

• Claude Code: Modifies .claude/settings.json to execute malware on session start.
• VS Code: Creates a .vscode/tasks.json file that runs the payload every time the project folder is opened.

This is among the first documented real-world attacks abusing Claude Code's hook system, signaling a new frontier in supply chain attacks that exploit AI-assisted development environments.

Cross-Ecosystem Impact and Scale

This attack demonstrates a dangerous cross-pollination between ecosystems. While the initial infection vector was the Python PyPI package, the payload is JavaScript and its primary propagation is through the npm registry. According to Ox Security, over 1,800 repositories containing stolen developer credentials have been created as part of the broader Mini Shai-Hulud attacks.

The campaign's reach extended beyond PyTorch Lightning. The Intercom npm client packages (versions 7.0.4 and 7.0.5) and the PHP Packagist package intercom-php (version 5.0.2) were also compromised, with the latter having over 20 million lifetime downloads. Evidence suggests the Intercom compromise was a direct result of the Lightning attack, where a local installation used the infected package as a dependency.

Indicators of Compromise and Response

Organizations must immediately check for the affected package versions: lightning@2.6.2 and lightning@2.6.3. Key files to search for include the hidden _runtime/ directory, .claude/settings.json, .vscode/tasks.json, and associated setup.mjs dropper files.

Network indicators include searches for GitHub commit messages prefixed with EveryBoiWeBuildIsAWormyBoi or repositories with the description "A Mini Shai-Hulud has Appeared." The domain zero[.]masscan[.]cloud has also been identified as part of the exfiltration infrastructure.

Remediation is urgent. Any system that imported the malicious package should be considered fully compromised. All GitHub tokens, cloud credentials (AWS, GCP, Azure), and API keys present in the affected environment must be rotated immediately. Code repositories should be audited for the injected files and any unexpected Formatter GitHub Actions workflows.

The Broader Threat Landscape: AI and Supply Chain Security

This attack occurs within a worrying trend of supply chain attacks abusing trusted AI and developer platforms. As noted in separate reporting, threat actors are increasingly poisoning repositories on Hugging Face and ClawHub to distribute malware, leveraging user trust in legitimate-looking AI tooling.

Furthermore, evidence found in similar campaigns, such as leftover prompts in malicious code, suggests attackers are increasingly using Large Language Models (LLMs) to develop and refine their payloads. This creates a concerning feedback loop where AI, used to accelerate development, is also being weaponized to attack the very ecosystems it enables.

The Shai-Hulud campaign, attributed to TeamPCP, shows a cybercrime group growing in sophistication. Their operations have evolved from targeting single ecosystems to orchestrating multi-platform, wormable attacks that can jump from Python to JavaScript to PHP, maximizing damage and complicating defense.

For the AI and open-source community, this is a stark reminder. The tools that power innovation are under sustained attack. Vigilant dependency management, robust secret scanning, and a security-first approach to CI/CD are no longer optional—they are fundamental to the integrity of the modern software supply chain.