PyTorch Lightning Hijacked in PyPI Attack: Malicious Versions Siphon User Credentials

Introduction

A recent software supply chain attack has sent shockwaves through the Python community, as threat actors successfully infiltrated the widely-used PyTorch Lightning package on the Python Package Index (PyPI). By publishing two deliberately corrupted versions, the attackers aimed to harvest sensitive credentials from unsuspecting developers and organizations. Security firms Aikido Security, Socket, and StepSecurity have jointly uncovered the breach, warning users to immediately purge the compromised releases.

Attack Details: Malicious Versions and Timeline

The Two Poisoned Releases

According to the cybersecurity teams, versions 2.6.2 and 2.6.3 of PyTorch Lightning were weaponized and uploaded to PyPI on April 30, 2026. These releases were not the result of a typosquatting or dependency confusion attack; instead, the assailants gained direct access to the package maintainer’s account, allowing them to push updates that appeared legitimate at first glance. The campaign is believed to be an extension of a broader, ongoing wave of supply chain operations targeting high‑profile PyPI projects.

How the Attack Works

The malicious code embedded in versions 2.6.2 and 2.6.3 was designed to execute silently during the package installation process. Once triggered, it would attempt to exfiltrate a wide range of credentials stored on the victim’s machine, including environment variables, cloud provider keys (AWS, GCP, Azure), SSH private keys, and database connection strings. The stolen data was then transmitted to an external command‑and‑control server controlled by the attackers, effectively handing over access to any infrastructure the victim had configured.

Discovery and Response

The security researchers at Aikido Security first noticed anomalous behavior in the package’s update history. Upon deeper investigation, they collaborated with Socket and StepSecurity to confirm the presence of obfuscated credential‑stealing logic. The malicious versions have since been flagged on PyPI, and the maintainers have removed them from the registry. However, the damage could already be done for anyone who installed the package between April 30 and the time of discovery. Users are advised to immediately check their systems for the presence of versions 2.6.2 or 2.6.3 and revoke any credentials that may have been exposed.

Impact and Recommendations

PyTorch Lightning is a critical component in the machine learning ecosystem, used by startups, research institutions, and large enterprises alike. A compromise of this nature can lead to data breaches, unauthorized cloud resource usage, and even subsequent supply chain attacks if the stolen credentials provide access to other private repositories or CI/CD pipelines. To mitigate risks, security experts recommend:

• Immediately updating to the latest safe version (2.6.4 or later) and verifying your installed version.
• Rotating all cloud access keys, API tokens, and SSH keys that were active on any machine that ran the compromised packages.
• Enabling multi‑factor authentication (MFA) for PyPI maintainer accounts and using strong, unique passwords.
• Monitoring system logs for unusual outbound connections or file access patterns.
• Implementing a software composition analysis (SCA) tool to detect known malicious packages in your dependencies.

This incident serves as a stark reminder that even trusted open‑source packages can be turned into weapons. Developers must remain vigilant, verify package integrity using checksums or signatures, and treat every dependency update as a potential security risk. The open‑source community is once again called upon to strengthen PyPI’s security posture, perhaps through mandatory code signing or automated vulnerability scanning for every published release.