The AI Framework Became the Backdoor: Lightning PyPI Supply Chain Attack Exposes Millions of ML Developers

TL;DR

PyPI package lightning (versions 2.6.2 & 2.6.3) compromised with multi-stage credential-stealing malware that executes automatically on import. Affects deep learning workflows downloading hundreds of thousands daily. GitHub maintainer account compromised. Team PCP claimed responsibility; likely connected to Shai-Hulud worm campaign.

What Happened

On April 30, 2026, Socket Research Team detected a supply chain attack on the widely-used PyPI package lightning—a deep learning framework for training, deploying, and shipping AI products. Within 18 minutes of malicious versions 2.6.2 and 2.6.3 being published to PyPI, Socket's AI-powered scanner flagged both as malicious.

The compromised package includes a hidden _runtime directory containing a multi-stage execution chain that activates automatically when the module is imported—no user action required beyond import lightning. According to PyPI statistics, the legitimate package receives hundreds of thousands of daily downloads and millions per month, making this a high-impact incident for Python AI and machine learning environments worldwide.

An attacker also compromised the Lightning-AI project's GitHub account (pl-ghost), attempted to suppress disclosure issues (posting "SILENCE DEVELOPER" meme in response threads), and probed for lateral expansion to other Lightning-AI repositories. The attacker claimed responsibility via a Tor onion link posted directly in the GitHub issue, linking the attack to Team PCP and claiming LAPSUS$ as an operational "partner."

Technical Details

The Kill Chain

Stage 1: Bun Runtime Downloader

The payload begins with start.py, which downloads and executes Bun (a JavaScript runtime) directly from GitHub, providing a sandboxed execution environment for the next stage.

Stage 2: Obfuscated Malicious JavaScript

Once Bun is running, router_runtime.js—an 11 MB JavaScript bundle—is decompressed and executed. The file uses industry-standard JavaScript obfuscation (javascript-obfuscator) with:

• 703 references to process and env (environment variable harvesting)
• 463+ references to tokens and authentication material
• 336 references to repositories (GitHub abuse preparation)
• Secondary AES decryption layer for additional string obfuscation

Stage 3: Credential Harvesting & Exfiltration

The payload targets:

• GitHub tokens (OAuth, Personal Access, GitHub App JWTs, installation tokens)
• npm credentials (access tokens from .npmrc, in-memory token extraction)
• Cloud credentials (AWS IMDS, ECS credential endpoints, GCP Service Account keys, Azure managed identities)
• Kubernetes tokens (from mounted service account credentials)
• Environment variables (across Node.js, shell, build system contexts)

Extracted credentials are encoded and committed to attacker-controlled GitHub repositories via stolen tokens, ensuring persistence even if the PyPI package is pulled.

Stage 4: npm Package Worm

The malware includes logic to identify and infect developer npm package tarballs, enabling self-propagating lateral movement across CI/CD pipelines and developer workstations—consistent with the Shai-Hulud npm worm campaign.

Execution & Detection Evasion

• Daemon thread execution with suppressed output (stderr/stdout redirected)
• Automatic on import—no manual trigger needed, runs silently in background
• Bun runtime requirement—unusual enough to evade string-pattern detection, sophisticated enough to warrant investigation
• Obfuscation depth (multiple rotation + AES layers) defeats simple regex-based scanning
• GitHub issue suppression—attackers closed disclosure issues within one minute, destroying early warning visibility

Lyrie Assessment

This attack represents a critical inflection point in supply chain strategy: attackers are now targeting AI infrastructure directly, understanding that ML engineers control production code paths with minimal security scrutiny. Why it matters to CISOs:

1. AI is the new perimeter. While security teams fortify CI/CD and cloud access, ML teams import frameworks with zero security review. Lightning is a foundational dependency for every AI/ML team touching PyTorch, transformers, or deep learning workflows.

2. The worm learns. The presence of npm package infection logic and GitHub API abuse patterns directly connects this to the Shai-Hulud campaign—suggesting attackers are automating supply chain lateral expansion. One compromised PyPI package can seed infections across npm, Docker, and GitHub ecosystems in hours.

3. Automatic execution is the new game. Unlike previous supply chain attacks requiring build-time or runtime triggers, this payload activates on bare import—no configuration, no user action. Every developer who pulled pip install lightning==2.6.2 in the last 24 hours is compromised.

4. GitHub is now the exfiltration network. Attackers use stolen GitHub tokens to commit encoded credential dumps directly to repos. Standard GitHub audit logs show commits, but the data is in the commit content—embedded in obfuscated, encoded blobs that bypassed code review.

5. Defense is asymmetric. Socket detected the attack in 18 minutes. But the average enterprise won't know they imported the malicious versions for weeks. By then, the worm has propagated to npm, Docker, and private registries, requiring incident response across three ecosystems simultaneously.

Lyrie Verdict: This attack proves autonomous defense at machine speed is no longer optional—it's existential. Traditional patch cycles and manual security review lost to a credential-stealing worm running on millions of developer machines in less than an hour. CISOs need real-time supply chain visibility and automated malware detection at package installation time, not weeks later during incident response.

The fact that Team PCP claimed this via a Tor onion link also signals a shift: ransomware groups are now advertising supply chain attacks as they happen, turning them into operational intimidation and credential harvesting campaigns for extortion. This is attack + extortion as a unified operation.

Recommended Actions

1. Immediate (next 2 hours):

- Block lightning versions 2.6.2 and 2.6.3 across all package registries (pip, Artifactory, Nexus, CodeArtifact)

- Scan all build systems, CI/CD logs, and developer machines for execution of these versions

- Kill any running Python processes that imported lightning 2.6.2/2.6.3

2. Short-term (next 24 hours):

- Rotate ALL GitHub tokens, npm credentials, AWS keys, GCP service accounts, and Azure credentials

- Downgrade to lightning 2.6.1 (verified clean as of January 30, 2026)

- Audit GitHub repositories for unauthorized commits or suspicious encoded data

- Review CI/CD logs for unexpected Bun runtime downloads

3. Investigation:

- Assume any system that imported lightning 2.6.2/2.6.3 is compromised

- Treat Lightning-AI's GitHub account (pl-ghost) as fully compromised; rotate all project deploy tokens

- Check for lateral expansion attempts to other Lightning-AI repositories

- Correlate with infostealer feeds (credential theft) and breach databases (data sales) for evidence of downstream exfiltration

4. Long-term:

- Implement supply chain attestation (SLSA, in-toto) for all AI/ML dependencies

- Deploy runtime package scanning (Socket, Snyk, Dependabot) with automatic blocking on detection

- Establish "trust but verify" policies for AI frameworks—require reproducible builds and signed releases

Sources

1. Socket Research — lightning PyPI Package Compromised in Supply Chain Attack

2. Cybersecurity News — Popular Python Package lightning Hacked in Supply Chain Attack

3. PyPI — lightning Package History

4. GitHub Issue #21689 — Lightning-AI/pytorch-lightning (now suppressed by compromised account)

---

Lyrie.ai Cyber Research Division