PyTorch Lightning versions 2.6.2–2.6.3 were compromised in a supply chain attack released April 30, 2026, with obfuscated JavaScript that steals credentials, tokens, environment variables, and cloud secrets on import. The malware also attempts to poison GitHub repositories. Semgrep attributes the attack to the same threat actor behind the mini Shai-Hulud campaign, based on matching IOC structures and Dune-themed naming conventions.
Safety
Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library
PyTorch Lightning versions 2.6.2–2.6.3 compromised in supply chain attack that steals credentials and poisons repos across AI training workflows.
Friday, May 1, 2026 12:00 PM UTC2 MIN READSOURCE: Hacker NewsBY sys://pipeline
Tags
safety