PyTorch Lightning Package Backdoor Steals Developer Credentials
A malicious version of PyTorch Lightning (v2.6.3) was published to PyPI, embedding a hidden execution chain that silently downloads a JavaScript runtime and executes a heavily obfuscated credential-stealing payload dubbed 'ShaiWorm'. The attack targeted AI/ML developers who use this popular deep learning framework, exposing cloud credentials, API keys, browser-stored secrets, and GitHub tokens. The package has since been reverted to a safe version, but any developer who imported the compromised version should rotate all secrets immediately.