Shai-Hulud Malware Jumps from npm to PyTorch Lightning in 48 Hours
Can malware really jump between programming ecosystems like some digital parasite?
The answer arrived on April 30, 2026, when Shai-Hulud malware successfully leaped from npm to PyPI, compromising PyTorch Lightning versions 2.6.2 and 2.6.3. This wasn't just another supply chain attack—it was evolution in real-time.
The 18-Minute Window
Socket's Research Team flagged the malicious versions just 18 minutes after they hit PyPI. But that's 18 minutes too long when you're dealing with import-time execution. The moment you ran import lightning, you were compromised.
<> "JS payload wrapped in Python expands registry reach—cadence matches npm attack 48 hours prior" - Snyk Security Team/>
The malware's sophistication is genuinely impressive in the worst possible way. It downloads the Bun JavaScript runtime from GitHub, then executes an ~11MB obfuscated payload that vacuums up everything valuable:
- SSH keys and shell histories
- AWS IMDS credentials
- GitHub and npm tokens
- Cryptocurrency wallets
Then it hides a _runtime directory and lets PyTorch Lightning work normally. You'd never know you were pwned.
From s1ngularity to Ecosystem Domination
This attack traces back to a fascinating chain of compromises:
1. Late August 2025: s1ngularity/Nx compromise leads to initial GitHub token theft
2. September 15, 2025: First Shai-Hulud npm attack with worm-like propagation
3. November 2025: Shai-Hulud 2.0 hits 25,000+ repositories across 350 users
4. April 30, 2026: "Mini Shai-Hulud" jumps to PyPI
The November attack was particularly wild—Unit 42 detected LLM-generated bash scripts complete with emojis and helpful comments. The attackers literally used AI to write their malware.
The Perfect Storm
PyTorch Lightning became vulnerable through a timing accident. Git tag 2.6.2 was created March 19, 2026, but the GitHub Actions workflow failed. Issue #21681 noted the missing release on April 20.
Six weeks later, attackers exploited a stored PyPI token to upload malicious versions. The legitimate maintainers never saw it coming.
<> "We are aware of the issue and are actively investigating" - PyTorch Lightning maintainers/>
What This Means for AI Development
The ML ecosystem just got a wake-up call. PyTorch Lightning has millions of downloads and powers countless AI training pipelines. If you're working on LLMs or any serious ML project, you've probably imported this library.
Immediate actions:
- Pin to version 2.6.1:
pip install lightning==2.6.1 - Rotate ALL credentials (yes, all of them)
- Check your GitHub repos for suspicious branches like
add-linter-workflow-<timestamp> - Audit your wheels for hidden directories
Hot Take: Cross-Ecosystem Worms Are the New Normal
Here's my controversial prediction: Shai-Hulud just proved that language barriers in malware are dead.
Bun runtime makes it trivial to run JavaScript payloads inside Python packages. The same malware can now hit npm, PyPI, and probably RubyGems next week. We're looking at the first truly polyglot supply chain worm.
The 18-minute detection time sounds impressive until you realize this thing can propagate to thousands of repos in minutes using stolen tokens. Socket, Snyk, and other security tools are playing an increasingly impossible game of whack-a-mole.
The scariest part? This was "Mini" Shai-Hulud. If this is the lightweight version, what does the full-scale attack look like?
The spice must flow, but apparently so must the malware.
