Backdoored PyTorch Lightning package drops credential stealer
Summary
A malicious version of the PyTorch Lightning package was discovered on the Python Package Index (PyPI). This backdoored package includes a credential stealer that targets browser data, environment files, and cloud services.
IFF Assessment
FOE
The discovery of a malicious package on a public repository that steals user credentials is bad news for defenders as it represents a new avenue for compromise.
Defender Context
This incident highlights the risk of supply chain attacks targeting popular open-source software repositories like PyPI. Defenders should implement robust dependency scanning and vulnerability management practices, and be cautious when updating or installing packages from public sources.