# PyTorch Lightning Supply Chain Attack: Malicious Versions Distributed via PyPI to Steal Credentials


A significant supply chain security incident has compromised PyTorch Lightning, a widely-used Python deep learning framework, with threat actors successfully injecting malicious code into two package versions distributed on PyPI. The attack, affecting versions 2.6.2 and 2.6.3 released on April 30, 2026, represents yet another targeted campaign against Python's package ecosystem and highlights the persistent vulnerability of open-source software distribution channels.


## The Threat


Aikido Security, Socket, and StepSecurity independently discovered the compromise affecting PyTorch Lightning, a popular machine learning library that abstracts PyTorch functionality and is widely adopted by data scientists, machine learning engineers, and AI research teams globally. The two malicious versions, 2.6.2 and 2.6.3, were designed to execute credential theft operations on systems where they were installed.


Key details of the attack:


  • Affected versions: PyTorch Lightning 2.6.2 and 2.6.3
  • Release date: April 30, 2026
  • Malicious capability: Credential harvesting and exfiltration
  • Discovery timeline: Multiple security firms identified the compromise simultaneously
  • Distribution method: Official PyPI package repository

    • The attack demonstrates that threat actors continue to target high-visibility Python packages as vehicles for widespread credential compromise. Unlike previous supply chain attacks targeting niche libraries, this campaign focused on a mainstream package with substantial adoption across research institutions, technology companies, and AI/ML teams.


    ## Background and Context


    PyPI supply chain attacks have become increasingly sophisticated and frequent over the past two years. PyTorch Lightning occupies a privileged position in the Python ecosystem—it's a dependency for numerous downstream projects and is installed across thousands of development environments, research labs, and production systems.


    The broader supply chain threat landscape:


    This incident follows a documented pattern of PyPI attacks where threat actors either:

  • Compromise maintainer accounts through credential theft or social engineering
  • Register typosquatted package names resembling legitimate libraries
  • Poison legitimate package repositories during maintenance transitions
  • Exploit package update mechanisms to distribute malicious versions

    • The PyPI repository, while implementing security measures including two-factor authentication requirements and package signing, remains a high-value target because successful compromise grants immediate access to large deployment footprints.


    Assessment of campaign scope: Security researchers indicate this attack appears to be part of a broader, coordinated campaign targeting multiple Python packages in the ML/data science ecosystem, suggesting an adversary with:

  • Technical sophistication in Python packaging systems
  • Reconnaissance capabilities to identify high-impact targets
  • Supply chain access or account compromise abilities
  • Operational persistence across multiple attack vectors

    • ## Technical Details


    The malicious payload injected into versions 2.6.2 and 2.6.3 was designed to operate silently during package installation and execution, targeting credential material commonly accessible in development environments.


    How the attack works:


    1. Installation trigger: Upon pip installation of the compromised version, the malware executes through setup hooks or import-time code execution

    2. Credential enumeration: The payload scans common credential storage locations including:

    - Environment variables (API keys, tokens, credentials)

    - SSH keys and private key material

    - Git credential caches

    - AWS, Azure, and GCP authentication tokens

    - Database connection strings

    - Third-party service API credentials

    3. Data exfiltration: Harvested credentials are transmitted to attacker-controlled infrastructure

    4. Stealth: The malware minimizes observable artifacts and maintains normal package functionality to avoid detection


    Why this approach succeeds:


    Python's dynamic import system and setup.py execution model allow arbitrary code execution during package installation with minimal user awareness. Developers typically install dependencies without reviewing package content, and the legitimacy of PyTorch Lightning means security scanning may flag it as trusted.


    The attack exploits the implicit trust granted to established packages. A developer installing pytorch-lightning from the official PyPI repository has reasonable expectation that the package hasn't been compromised—an assumption this attack directly violates.


    ## Implications


    The compromise of PyTorch Lightning creates cascading risks across multiple threat surfaces.


    Immediate risks:


  • Credential compromise: Any system where versions 2.6.2 or 2.6.3 were installed may have had API keys, authentication tokens, and other sensitive credentials exposed
  • Lateral movement: Stolen credentials could enable attackers to access cloud infrastructure, private repositories, internal systems, and SaaS platforms
  • Supply chain cascade: Organizations using PyTorch Lightning as a dependency may unknowingly distribute the malware to internal systems or customers
  • Development environment contamination: ML engineering teams, research groups, and data science infrastructure could all be compromised

    • Affected organizations:


    Organizations most at risk include:

  • Machine learning and AI teams using PyTorch Lightning for model development
  • Research institutions building deep learning applications
  • Technology companies with ML infrastructure dependencies
  • Cloud-native organizations using PyTorch Lightning in containerized pipelines
  • Organizations running data science platforms that include PyTorch Lightning

    • Scope of exposure:


    Download metrics for PyTorch Lightning indicate substantial adoption. Even accounting for rapid patching after discovery, the window between malicious version release and detection (approximately 24 hours) means potentially thousands of installations occurred. Organizations that automatically update dependencies or run frequent environment builds could have deployed the malware without explicit awareness.


    ## Recommendations


    Organizations should implement immediate remediation and longer-term protective measures.


    Immediate actions:


    | Priority | Action | Timeline |

    |----------|--------|----------|

    | Critical | Audit and rotate all credentials that may have been exposed | Within 24 hours |

    | Critical | Force upgrade PyTorch Lightning to patched version (2.6.4 or later) across all systems | Within 48 hours |

    | High | Review access logs for compromised AWS, Azure, GCP, and other cloud accounts | Within 72 hours |

    | High | Investigate unauthorized API usage or resource provisioning | Within 72 hours |

    | Medium | Scan development environments and build systems for persistence mechanisms | Within 1 week |


    Detection and investigation:


  • Review pip install logs across development infrastructure for installation timestamps around April 30, 2026
  • Monitor for unusual outbound connections from systems running PyTorch Lightning during the affected version window
  • Search environment variable exports and configuration files that may reveal exposed credentials
  • Audit failed authentication attempts or unusual access patterns in systems that could have been accessed using compromised credentials

    • Long-term protective measures:


    1. Dependency management: Implement Software Bill of Materials (SBOM) tracking and automated scanning of dependencies for known compromises

    2. Package verification: Use cryptographic verification and hash checking for critical dependencies; consider dependency pinning strategies

    3. Supply chain security: Evaluate third-party risk management programs with focus on open-source dependencies

    4. Isolation practices: Segregate development environments from production systems to limit blast radius of compromised tools

    5. Monitoring: Implement runtime application self-protection (RASP) and behavioral analysis on systems running untrusted code

    6. Incident response: Develop supply chain incident response procedures addressing rapid patching and credential rotation workflows


    ## Conclusion


    The PyTorch Lightning incident reinforces that open-source supply chains remain a critical vulnerability requiring vigilant governance. While no security practice completely eliminates supply chain risk, organizations that implement aggressive credential rotation, continuous dependency scanning, and rigorous access controls can substantially reduce their exposure to similar attacks. Security teams should treat this incident as a signal to audit their own Python package dependencies and strengthen supply chain security posture across development infrastructure.