A new supply chain attack has hit the popular Python framework PyTorch Lightning. The attack allowed hackers to publish malicious versions of the package and steal developer credentials.
Security researchers fromAikido Security, OX Security, Socket, and StepSecurity found that versions 2.6.2 and 2.6.3 were compromised. These versions were uploaded on April 30, 2026. Both versions have now been removed from PyPI. The safe version right now is 2.6.1.
PyTorch Lightning is widely used by developers working on machine learning projects. Because of its popularity, it became a high-value target. The malicious package includes hidden files. These files contain a downloader and an obfuscated JavaScript payload. The attack starts as soon as a developer imports the package. No extra step is needed.
The malware first downloads the Bun runtime. It then runs a large hidden script. This script is designed to steal sensitive data from the system.
It targets GitHub tokens, npm credentials, SSH keys, cloud secrets, Docker data, Kubernetes configs, and .env files. This means both local and cloud environments are at risk.
The attackers use stolen GitHub tokens to go further. The malware checks if the tokens are valid. If valid, it accesses repositories where the user has write access. It can then inject malicious code into multiple branches. It can also overwrite files without checking existing content. All changes are committed using a fake identity to look normal.
The attack can also spread on its own. It modifies local npm packages by adding a malicious install script. If a developer publishes these packages, the malware spreads to others.
Researchers say this attack is linked to the “Mini Shai-Hulud” campaign. This campaign has already targeted npm packages earlier. The threat group TeamPCP is believed to be behind these attacks.
The attack is not limited to Python. The npm package intercom-client version 7.0.4 was also compromised in a similar way. The issue also reached the PHP ecosystem. The Packagist package intercom/intercom-php version 5.0.2 was found to include the same type of malware.
In this case, the attack was linked to a hacked GitHub account. The attackers used an automated workflow to publish the malicious package.
Researchers also found that some infections happened through dependencies. A package indirectly pulled the compromised Lightning version. This shows how one bad dependency can affect many projects.
This attack shows how supply chain threats are evolving. We are now seeing new supply chain attacks almost every day. Attackers are no longer targeting just individual systems. They are going after widely used developer tools and popular packages to reach a much larger number of systems at once. This approach helps them scale attacks quickly and cause more damage.
