PyTorch Lightning Compromised in PyPI Supply Chain Attack to Steal Credentials
Summary
Threat actors have compromised the popular Python package PyTorch Lightning by pushing two malicious versions (2.6.2 and 2.6.3) to the Python Package Index (PyPI) to steal user credentials. These malicious versions were published on April 30, 2026, and the campaign is believed to be an extension of ongoing efforts.
IFF Assessment
This attack represents a supply chain compromise that could lead to widespread credential theft among users of the PyTorch Lightning library, directly harming defenders.
Defender Context
This incident highlights the ongoing risk of supply chain attacks targeting popular open-source libraries, which can have a significant impact on downstream users. Defenders should be vigilant about the packages they incorporate into their development pipelines and consider implementing robust dependency scanning and verification processes to detect potentially malicious code.