// #mini-shai-hulud

PyTorch Lightning PyPI Package Compromised — Credential-Stealing Payload Delivered to AI/ML Development Environments

PyTorch Lightning versions 2.6.2 and 2.6.3 on PyPI were found to contain a credential-stealing postinstall payload, extending the Mini Shai-Hulud supply chain campaign that previously compromised SAP's official npm packages. Organisations running AI/ML workloads should audit Python environments and rotate any credentials stored on affected development or CI/CD systems.