PyTorch Lightning PyPI Hijack: SAMA Bank AI Supply Chain Risk

On April 30, 2026, threat actors published two trojanised versions of PyTorch Lightning (2.6.2 and 2.6.3) to the Python Package Index, weaponising one of the most widely used AI training libraries in the world. For Saudi banks now racing to embed machine learning into fraud scoring, AML triage, and customer analytics, the incident is a textbook breach of the SAMA Cyber Security Framework's third-party and software supply chain controls — and a warning that the data scientist's notebook is now part of the attack surface.

Anatomy of the Lightning PyPI Supply Chain Attack

According to disclosures from Socket, Semgrep, and StepSecurity, the malicious wheels shipped a hidden _runtime directory containing a Python loader (start.py), the Bun JavaScript runtime, and an obfuscated 11 MB payload named router_runtime.js. Once a developer or CI runner executed pip install lightning, the loader silently downloaded Bun, then executed the JavaScript stealer with the privileges of the build agent. Socket's AI scanner flagged both versions roughly eighteen minutes after publication, and PyPI administrators quarantined the project — but not before mirrors, cached wheels, and pinned-version pipelines had already pulled the trojans.

The campaign is being tracked as an extension of the Mini Shai-Hulud cluster previously linked to malicious npm packages targeting SAP ecosystems, suggesting a coordinated, multi-registry adversary rather than an opportunistic hijack.

What the Stealer Targets

The router_runtime.js payload is engineered for exhaustive secret harvesting on developer workstations and CI/CD nodes. It enumerates and exfiltrates GitHub and npm tokens, SSH private keys, AWS and GCP credential files, Kubernetes kubeconfigs, HashiCorp Vault tokens, Docker config secrets, browser-stored cookies, and any .env file it can locate. GitHub tokens are validated live against api.github.com/user; valid tokens are then abused to push a worm-like payload to up to fifty branches across every writable repository the victim controls — a self-propagating mechanism that turns one compromised laptop into a fleet-wide breach.

For a Saudi bank, the implication is severe: a single data scientist who installs the wrong version on a personal laptop can leak production cloud credentials, source code for risk models, and signing keys that downstream attackers monetise as initial access broker inventory.

Impact on SAMA-Regulated Financial Institutions

The SAMA Cyber Security Framework explicitly mandates third-party and supply chain risk management under control domain 3.3.14, while the NCA Essential Cybersecurity Controls (ECC-1:2018) require subdomain 2-10 coverage of third-party and cloud computing cybersecurity. The Lightning incident violates the spirit of both: open-source dependencies pulled directly from a public registry into a regulated production pipeline, with no software bill of materials (SBOM), no cryptographic verification, and no internal mirror enforcing version pinning and scanning.

Banks operating under the Saudi Personal Data Protection Law (PDPL) face a second exposure. If credentials harvested from a compromised model-training environment grant access to systems holding personal data — even pseudonymised training datasets — the breach triggers PDPL Article 20 notification obligations to SDAIA and affected data subjects within seventy-two hours of confirmed compromise.

Practical Recommendations for Saudi Banks

1. Audit the blast radius immediately. Search every repository, requirements file, Dockerfile, and notebook for lightning==2.6.2 or lightning==2.6.3. Treat any host that resolved those versions as compromised until proven otherwise.
2. Rotate every secret accessible to your ML environments. GitHub PATs, SSH keys, AWS access keys, GCP service accounts, kubeconfigs, Vault tokens, Docker registry credentials, and any .env values. Assume the attacker has already validated and used them.
3. Enforce an internal PyPI mirror. Stand up Sonatype Nexus, JFrog Artifactory, or AWS CodeArtifact as the sole upstream for production builds, with allowlisted versions, signature checks, and integrated scanning via Socket, Snyk, or pip-audit.
4. Generate and retain SBOMs for every model deployment. CycloneDX or SPDX format, stored alongside the model artefact, in line with SAMA CSCC 3.3.14 evidence requirements.
5. Block outbound network egress from CI runners. Build agents should never reach api.github.com, npmjs.org, or arbitrary CDNs at install time — egress allowlists collapse the stealer's exfiltration path.
6. Hunt for indicators on developer endpoints. EDR queries for the Bun runtime appearing under ~/.bun, anomalous outbound connections from node or python processes during pip install events, and unexpected GitHub API calls from build infrastructure.
7. Update the third-party risk register. Add open-source AI/ML libraries as a distinct risk category, with named owners, scanning frequency, and incident playbooks — evidence the SAMA examiner will ask for.

Conclusion

The PyTorch Lightning compromise is not an isolated supply-chain story; it is the new operating reality for any Saudi financial institution adopting AI. Adversaries have moved upstream into the registries your data scientists trust by default, and the regulator already expects you to have closed that gap. Treat your ML pipeline like core banking: pinned dependencies, signed artefacts, internal mirrors, SBOMs, and continuous scanning are no longer optional.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on software supply chain and AI/ML pipeline security.