In late April 2026, security researchers uncovered a sophisticated supply chain attack targeting the lightning package on PyPI, a critical dependency in the AI/ML ecosystem. The malware, dubbed "Shai-Hulud" after the giant sandworms from Frank Herbert's Dune, compromised versions 2.6.2 and 2.6.3 of the PyTorch Lightning library. This attack not only steals credentials and cloud secrets but also propagates to npm packages, posing a severe threat to developers. Below, we answer key questions about this incident.

What Exactly Happened with the Lightning Package?

The PyPI package lightning, a widely used deep learning framework, was compromised in a supply chain attack affecting versions 2.6.2 and 2.6.3, published on April 30, 2026. Teams building image classifiers, fine-tuning LLMs, running diffusion models, or developing time-series forecasters often have lightning in their dependency tree. Simply running pip install lightning on the malicious versions activates the payload. The package contains a hidden _runtime directory with obfuscated JavaScript that executes automatically upon module import. The malware steals credentials, authentication tokens, environment variables, and cloud secrets, and also attempts to poison GitHub repositories by creating public repositories named EveryBoiWeBuildIsaWormBoi.

Which Versions Are Affected?

The compromise is limited to two specific versions of the lightning package: 2.6.2 and 2.6.3. These were published on the same day, April 30, 2026. Users who installed lightning via PyPI on or after that date could be impacted. It is crucial to check your installed version and any projects that list lightning as a dependency. If you are using a version earlier than 2.6.2 or later than 2.6.3 (once a fixed release is issued), you are not directly affected by this specific attack. However, because the malware can propagate to other packages via npm tokens, it's important to audit your entire dependency tree.

How Does the Malware Work? A Technical Overview

The malware's execution begins when Python imports the lightning module. A hidden _runtime directory contains obfuscated JavaScript code that runs automatically. The exfiltration component uses four parallel channels to send stolen data back to a command-and-control (C2) server via HTTPS POST, ensuring data exfiltration succeeds even if individual paths are blocked. The payload steals credentials, authentication tokens, environment variables, and cloud secrets from the infected machine. Additionally, it attempts to poison local GitHub repositories by injecting malicious files into .claude/ and .vscode/ directories, and creates public repositories with Dune-themed names. The malware also monitors for npm publish credentials to propagate itself into other packages.

How Does the Attack Spread from PyPI to npm?

Unlike the earlier "mini Shai-Hulud" campaign that targeted npm directly, this attack uses PyPI as the entry point. The malware payload is still JavaScript, and worm propagation happens through npm. Once the malware executes, it looks for npm publish credentials (tokens or login sessions) on the infected machine. If found, it injects a setup.mjs dropper and router_runtime.js into every package that token can publish to. It then modifies the package's scripts.preinstall field to execute the dropper when the package is installed, bumps the patch version (e.g., from 1.2.3 to 1.2.4), and republishes the package. Any downstream developer who installs one of these infected npm packages will then run the full malware on their machine, potentially stealing their tokens and further worming their own packages.

What Are the Indicators of Compromise (IOCs) and How Can I Detect Them?

The primary IOCs follow a Dune-themed naming convention. The malicious commit messages use the prefix EveryBoiWeBuildIsAWormyBoi (distinguishing from the original mini Shai-Hulud campaign). Infected projects may contain unexpected files in .claude/ and .vscode/ directories. Additionally, public repositories named EveryBoiWeBuildIsaWormBoi may appear on GitHub. For detection, developers can use Semgrep, which has an advisory and rule covering this attack. Trigger a new scan on your projects and check the advisories page at https://semgrep.dev/orgs/-/advisories to see if any projects installed these malicious versions. If the dependency filter shows "No matching dependencies", you are not actively using the malicious package. If you match, audit your repositories for the injected files and rotate any exposed credentials.

What Should I Do if I'm Affected? Remediation Steps

If your scan detects the malicious lightning versions, take immediate action. First, rotate all GitHub tokens, cloud credentials, and API keys that were present on the affected environment. Second, audit your repositories for injected files in .claude/ and .vscode/ directories and remove them. Third, downgrade or upgrade lightning to a safe version (2.6.1 or earlier, or wait for a patched release). Fourth, check any npm packages you maintain—if the malware had access to npm publish credentials, it may have wormed your packages. Use npm audit and review package versions for unexpected bumps. Finally, monitor GitHub for any public repositories created by the attacker under your account. Semgrep users should run a full scan and review the advisories page for additional guidance.

Who Is Behind This Attack? Is It Linked to Previous Campaigns?

Security researchers believe this attack is the work of the same threat actor behind the earlier "mini Shai-Hulud" campaign. The indicator of compromise structure is consistent: malicious commit messages follow the same Dune-themed naming convention. This new campaign uses the prefix EveryBoiWeBuildIsAWormyBoi to distinguish itself. The parallel four-channel exfiltration mechanism also matches the design of the previous campaign. The shift from an npm entry point (mini Shai-Hulud) to a PyPI entry point suggests the attackers are expanding their targets while reusing proven technical components. Organizations that were hit by mini Shai-Hulud should be especially vigilant, as the attackers appear to be actively developing their capabilities.