A software supply chain attack has targeted users of the popular machine learning framework PyTorch Lightning, with threat actors pushing two malicious versions of the package to steal credentials.
According to cybersecurity firms Aikido Security, Socket, and StepSecurity, the malicious versions 2.6.2 and 2.6.3 were published to the Python Package Index (PyPI) on April 30, 2026. The campaign is assessed to be an extension of a broader pattern of supply chain compromises affecting the Python ecosystem.
What Happened
The attack involved the compromise of the legitimate PyTorch Lightning package, a widely used open source library for training and deploying artificial intelligence models. The malicious versions were designed to exfiltrate sensitive credentials from the systems of developers and organizations that installed them.
The infected packages executed a payload during installation that collected environment variables, configuration files, and authentication tokens. This data was then transmitted to an external server controlled by the attackers.
Infection Mechanism
The malicious code was embedded within the package’s setup process. When users ran a standard pip install command for PyTorch Lightning, the malicious versions automatically executed the credential harvesting routine before the legitimate library code was loaded.
The attack targeted both personal access tokens and cloud service credentials, including those for Amazon Web Services, Google Cloud Platform, and GitHub. By compromising these credentials, attackers could gain unauthorized access to cloud resources and private code repositories.
Scope and Impact
PyTorch Lightning is used extensively in the machine learning and artificial intelligence research communities, as well as in production environments at many technology companies. The malicious versions were available for download for a limited window on April 30 before being identified and removed from PyPI.
Security researchers have confirmed that the attack is part of a larger campaign targeting the Python open source ecosystem. Similar credential stealing techniques have been observed in previous supply chain attacks on PyPI, including incidents involving other popular machine learning libraries.
Response and Mitigation
PyPI administrators have removed the malicious versions 2.6.2 and 2.6.3 from the repository. Users are strongly advised to check their installed package versions immediately.
Organizations using PyTorch Lightning should verify they are running version 2.6.1 or earlier, or the latest patched version above 2.6.3. Security teams should scan systems for any unauthorized access or credential exposure that may have occurred during the compromise window.
Developers who installed the affected versions should rotate all credentials that were present on the affected systems. This includes API keys, database passwords, and cloud provider access tokens. A full security audit of any environments that used the compromised packages is recommended.
Broader Implications
This incident highlights ongoing vulnerabilities in the software supply chain, particularly within the open source package management ecosystem. PyPI, like other package registries such as npm for JavaScript and RubyGems for Ruby, has been a frequent target for attackers seeking to distribute malicious code.
The attack underscores the need for package maintainers to implement stronger security practices, including two factor authentication for publishing accounts and automated integrity checks on uploaded packages. For end users, scanning dependencies with security tools and pinning package versions can reduce exposure to such attacks.
As of publication, the full extent of credential theft from this campaign is still under investigation. Security firms are working with PyPI administrators to identify the method of compromise used to gain control of the PyTorch Lightning maintainer account.
Industry observers expect that this attack will accelerate calls for mandatory security audits of popular open source packages and increased funding for registry security infrastructure. The incident may also prompt the adoption of software bill of materials (SBOM) requirements in the machine learning supply chain.
Source: Delimiter Online
