TODAY

Shai-Hulud-themed malware found in PyTorch Lightning AI training library

Semgrep disclosed on April 30 that lightning 2.6.2 / 2.6.3 were poisoned with Shai-Hulud-style malware hidden in a `_runtime` directory. Loading the package auto-exfiltrates GitHub tokens, cloud credentials, and CI/CD secrets, and plants persistence hooks into Claude Code and VS Code config. Anyone who pip-installed those versions should audit their dependency tree and rotate secrets now.