Full Report
A malicious version of the PyTorch Lightning package published on the Python Package Index (PyPI) delivers a credential-stealing payload targeting browsers, environment files, and cloud services. [...]
Analysis Summary
# Tool/Technique: ShaiWorm (Malicious PyTorch Lightning v2.6.3)
## Overview
A supply-chain attack involving a backdoored version of the popular deep learning framework `pytorch-lightning` (specifically version 2.6.3). The package executes a hidden chain upon import that downloads a JavaScript runtime (Bun) to run a heavily obfuscated information stealer.
## Technical Details
- **Type**: Malware family (Information Stealer / Supply-Chain Attack)
- **Platform**: Cross-platform (Windows/Linux/macOS via Bun runtime compatibility)
- **Capabilities**: Credential harvesting, API key theft, cloud service interaction, and arbitrary command execution.
- **First Seen**: April 30, 2026 (Reported date)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.002 - Supply Chain Compromise: Compromise Software Dependencies
- **TA0002 - Execution**
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1569.002 - System Services: Service Execution (Silent background process)
- **TA0006 - Credential Access**
- T1552.001 - Unsecured Credentials: Private Keys (API keys, GitHub tokens)
- T1555.003 - Credentials from Web Browsers
- **TA0007 - Discovery**
- T1083 - File and Directory Discovery (.env files)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Automated Execution**: Triggers immediately upon the Python command `import lightning`.
- **Environment Discovery**: Searches for and parses `.env` files to extract secrets and configuration data.
- **Browser Harvesting**: Targets data stored in Chrome, Firefox, and Brave browsers.
- **Cloud Credential Theft**: Interacts directly with cloud service APIs (AWS, Azure, GCP) to steal authentication tokens and metadata.
### Advanced Features
- **Heavily Obfuscated Payload**: The secondary stage (`router_runtime.js`) is an 11.4 MB obfuscated file designed to evade static analysis.
- **Custom Runtime Deployment**: Instead of relying on system-installed tools, it downloads a specific JavaScript runtime (`Bun v1.3.13`) to ensure consistent execution of its payload.
- **Remote Command Execution**: Supports receiving and executing arbitrary system commands from the attacker.
## Indicators of Compromise
- **File Hashes (SHA256)**:
- *Note: Specific hashes for the 11.4MB payload were not provided in the source text, but the package version is identified as `lightning==2.6.3`.*
- **File Names**:
- `router_runtime.js`
- `bun` (The downloaded binary)
- **Network Indicators**:
- `github[.]com` (Used for downloading the Bun runtime)
- `pypi[.]org` (Distribution point for the malicious wheel)
- **Behavioral Indicators**:
- PyTorch Lightning process spawning a background JavaScript runtime process immediately after execution.
- Unusual outbound network traffic from a Python environment to cloud service API endpoints.
## Associated Threat Actors
- **Unknown**: Investigation into the breach of the PyPI build/release pipeline is ongoing. Microsoft Defender identifies the payload family as **ShaiWorm**.
## Detection Methods
- **Signature-based detection**: Antivirus solutions (e.g., Microsoft Defender) flag the library and payload as "ShaiWorm."
- **Behavioral detection**: Monitoring for Python processes reaching out to download binary executables (like the Bun runtime) or accessing sensitive directories (like browser profile folders).
- **Package Auditing**: Comparison of PyPI `py3-none-any` wheels against the official source code on GitHub.
## Mitigation Strategies
- **Immediate Action**: If `lightning==2.6.3` was installed, rotate all API keys, GitHub tokens, and cloud credentials (AWS/Azure/GCP) immediately.
- **Rollback**: Downgrade to `pytorch-lightning` version 2.6.1, which is confirmed safe.
- **Prevention**: Implement Software Bill of Materials (SBOM) auditing and use lockfiles (e.g., `requirements.txt` with hashes) to prevent automatic updates to unverified versions.
- **Hardening**: Use environment-level restrictions (like Docker containers or low-privilege users) to limit the file system access of AI training scripts.
## Related Tools/Techniques
- **Dependency Confusion/Typosquatting**: Though this was a direct account/pipeline compromise, the execution technique mirrors common PyPI supply chain attacks.
- **Other Info-Stealers**: Similar in behavior to Lumma or RedLine, but specifically tailored for developer environments (targeting `.env` and cloud keys).