Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library
Summary
Semgrep reports a supply-chain attack on the PyPI package lightning (versions 2.6.2 and 2.6.3) that executes credential-stealing malware on import. The attack spans multiple ecosystems (Python to JavaScript via npm), exfiltrates credentials and secrets, and establishes persistence through developer tooling; the article provides IoCs, affected packages, and remediation guidance via Semgrep advisories.