If you've installed PyTorch Lightning recently, check your versions. Security researchers at Semgrep disclosed on April 30, 2026 that versions 2.6.2 and 2.6.3 of the widely-used deep learning framework were compromised in a supply chain attack. The malware activates just by running pip install lightning. That's it. No click, no extra step. Anyone building image classifiers, fine-tuning LLMs, or running diffusion models with Lightning in their dependency tree is in the blast radius.

The malicious code hides in a concealed _runtime directory and fires off obfuscated JavaScript payloads on import. The malware steals credentials, authentication tokens, environment variables, and cloud secrets from AWS, Azure, and Google Cloud Platform. It also plants persistence hooks targeting VS Code and Claude Code, two tools AI developers use constantly. GitHub searches turned up roughly 2,200 repositories containing the signature text "A Mini Shai-Hulud has Appeared," all created within a short window after the malicious packages went live.

The attack jumps ecosystems. The entry point is PyPI, but once running, the malware hunts for npm publish credentials and injects itself into every package it can access, bumps the patch version, and republishes. Anyone downstream who installs those packages gets hit too. Semgrep links the Dune-themed commit messages ("EveryBoiWeBuildIsAWormyBoi") to a threat actor behind a previous "Mini Shai-Hulud" campaign. The exfiltration uses four parallel channels, including an HTTPS POST to a command-and-control server and a clever GitHub commit search dead-drop that polls for specially formatted commit messages. This isn't amateur hour.

If you touched these versions, rotate your GitHub tokens, cloud credentials, and API keys now. Check your repositories for unexpected .claude/ and .vscode/ directories. The nixpkg from the unstable channel (version 2.6.2) also appears infected, so this extends beyond direct PyPI installations. The attack vector is still under investigation, with community members questioning whether a malicious pull request made it through maintainer review or whether the package registry infrastructure itself was compromised.