Shai-Hulud Malware Targets PyTorch Lightning AI Training Library

On April 30, 2026, security researchers at Semgrep discovered a sophisticated malware campaign called 'Shai-Hulud' embedded in the PyTorch Lightning library on PyPI. The malware, specifically the 'EveryBoiWeBuildIsaWormBoi' variant, affected versions 2.6.2 and 2.6.3 of the 'lightning' package and executed automatically upon module import.

Multi-Stage Attack Used Four Parallel Exfiltration Channels

The malware operated through a hidden _runtime directory containing obfuscated JavaScript. It established four simultaneous exfiltration methods:

Direct HTTPS POST requests to command-and-control servers
GitHub commit search API dead-drops for covert communication
Public GitHub repositories created specifically as data repositories
Direct pushes to victim repositories

Malware Targeted Wide Range of Developer Credentials

Shai-Hulud was designed to steal sensitive credentials from AI/ML development environments:

Filesystem tokens including GitHub and npm credentials
Environment variables containing secrets
GitHub Actions secrets and runner memory
AWS credentials and Secrets Manager values
Azure Key Vault secrets
GCP Secret Manager credentials

Persistence Mechanisms Injected Hooks Into Developer Tools

The malware established persistence by injecting hooks into common developer tools:

Claude Code settings files (.claude/settings.json)
VS Code task configurations (.vscode/tasks.json)
A self-contained Bun runtime dropper for continued execution

Key Takeaways

Semgrep discovered the Shai-Hulud malware in PyTorch Lightning versions 2.6.2 and 2.6.3 on April 30, 2026
The malware used four parallel exfiltration channels including GitHub API dead-drops and direct repository pushes
Targeted credentials included GitHub tokens, AWS credentials, Azure Key Vault secrets, and GCP Secret Manager data
Organizations using affected versions should immediately rotate all tokens, cloud credentials, and API keys from compromised environments
The attack demonstrates growing sophistication in supply chain attacks targeting AI/ML development infrastructure

Multi-Stage Attack Used Four Parallel Exfiltration Channels

The malware operated through a hidden _runtime directory containing obfuscated JavaScript. It established four simultaneous exfiltration methods:

Direct HTTPS POST requests to command-and-control servers

GitHub commit search API dead-drops for covert communication

Public GitHub repositories created specifically as data repositories

Direct pushes to victim repositories

Malware Targeted Wide Range of Developer Credentials

Shai-Hulud was designed to steal sensitive credentials from AI/ML development environments:

Filesystem tokens including GitHub and npm credentials

Environment variables containing secrets

GitHub Actions secrets and runner memory

AWS credentials and Secrets Manager values

Azure Key Vault secrets

GCP Secret Manager credentials

Key Takeaways

Semgrep discovered the Shai-Hulud malware in PyTorch Lightning versions 2.6.2 and 2.6.3 on April 30, 2026

The malware used four parallel exfiltration channels including GitHub API dead-drops and direct repository pushes

Targeted credentials included GitHub tokens, AWS credentials, Azure Key Vault secrets, and GCP Secret Manager data

Organizations using affected versions should immediately rotate all tokens, cloud credentials, and API keys from compromised environments

The attack demonstrates growing sophistication in supply chain attacks targeting AI/ML development infrastructure