www.it-connect.fr
PyTorch Lightning Version 2.6.3 Was Compromised to Deliver an Infostealer
A malware infostealer was distributed through a compromised version of PyTorch Lightning, a framework with millions of downloads. Yet another clear example of a supply chain attack. Here’s what we know.
A malware that activates on import
PyTorch Lightning is no small project: this framework, widely used for fine-tuning AI models, racked up more than 11 million downloads last month. Unfortunately, on April 30, the developer disclosed a security incident involving version 2.6.3 of the tool. Although the exact origin of the compromise was not specified, it is real.
Version 2.6.3 was compromised, and the injected code makes it possible to download and execute malicious JavaScript code. As soon as a developer runs the import lightning command, the malicious code silently triggers a background process.
As explained in the security advisory published by Lightning AI: "lightning==2.6.3 (published on PyPI as a py3-none-any wheel) contains a hidden execution chain that silently downloads a JavaScript runtime (Bun) and executes a heavily obfuscated 11.4 MB JavaScript payload upon importing lightning."
ShaiWorm: an infostealer malware
Detected and blocked by Microsoft Defender under the name "ShaiWorm", this payload is an infostealer. Once deployed on an infected machine, this malware searches for sensitive information:
.envfiles, secrets, and GitHub tokens.- API keys used by developers.
- Data stored in Chrome, Firefox, and Brave browsers, including usernames and passwords.
"This payload contains credential theft capabilities targeting cloud providers, browsers, and environment files.", we can read. Indeed, this malware tries to interact directly with the APIs of Azure, AWS, and Google (GCP) cloud environments in an attempt to steal information.
If I mention Microsoft Defender, it is not by chance. The Microsoft Threat Intelligence team itself discovered the PyTorch Lightning package compromise. The post published on X says that the developer was notified shortly afterward. That same post also states the following:
"The observed activity remains limited to a small number of devices and appears confined to a restricted set of environments. We are also investigating telemetry signals related to container-based telemetry and the registry, which could indicate a potential compromise in certain scenarios.", we can read.
If you used version 2.6.3 and the code was imported, Lightning AI warns that your secrets, keys, and tokens were likely compromised. In that case, immediate rotation of all your secrets is essential! In the meantime, the compromised version (2.6.3) has been removed and rolled back to version 2.6.1 on PyPI, which is considered the latest safe release.
