Malicious PyPI Versions of PyTorch Lightning Target Developers in Supply Chain Attack
Threat actors compromised the popular Python package PyTorch Lightning, publishing two malicious versions 2.6.2 and 2.6.3 on April 30, 2026, as part of a broader software supply chain attack. The campaign, linked to the Mini Shai-Hulud incident that previously targeted SAP-related npm packages, was uncovered by security firms Aikido Security, OX Security, Socket, and StepSecurity.
The compromised versions contained a hidden _runtime directory with an obfuscated JavaScript payload that executed automatically upon package import. The attack chain downloaded the Bun JavaScript runtime and deployed an 11MB obfuscated script (router_runtime.js) designed for credential theft. Validated GitHub tokens were used to inject worm-like payloads into up to 50 branches per repository, silently overwriting files with commits impersonating Anthropic’s Claude Code.
Additionally, the malware modified local npm packages by adding a postinstall hook to package.json, incrementing version numbers, and repackaging tarballs. If published, these tampered packages would propagate the malware to downstream systems.
The Python Package Index (PyPI) has since quarantined the affected versions. While the exact cause of the compromise remains under investigation, evidence suggests the PyTorch Lightning GitHub account was breached. Maintainers confirmed the malicious versions introduced credential-harvesting functionality and advised users to downgrade to version 2.6.1 and rotate exposed credentials.
The attack has been attributed to TeamPCP, a threat group previously suspended from X for policy violations. The group has since launched a dark web onion site and claimed ties to LAPSUS$, while denying use of the VECT encryption tool instead asserting ownership of CipherForce, its proprietary ransomware locker.
In a related incident, version 7.0.4 of the intercom-client npm package was also compromised under the Mini Shai-Hulud campaign, employing a preinstall hook to execute credential-stealing malware. Security researchers noted technical overlaps with prior TeamPCP attacks targeting Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy.
Source: https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html
PyTorch Lightning TPRM report: https://www.rankiteo.com/company/pytorch-lightning
Anthropic TPRM report: https://www.rankiteo.com/company/anthropicresearch
"id": "pytant1777580983",
"linkid": "pytorch-lightning, anthropicresearch",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Developers using PyTorch '
'Lightning 2.6.2/2.6.3',
'industry': 'Software Development',
'name': 'PyTorch Lightning',
'type': 'Open-source Python package'},
{'customers_affected': 'Developers using '
'intercom-client 7.0.4',
'industry': 'Software Development',
'name': 'intercom-client',
'type': 'npm package'}],
'attack_vector': 'Compromised package repository (PyPI)',
'customer_advisories': 'Developers using affected packages urged to check for '
'unauthorized changes and rotate credentials',
'data_breach': {'data_exfiltration': 'Yes (credential theft)',
'file_types_exposed': 'JavaScript, npm package files, Python '
'packages',
'sensitivity_of_data': 'High (authentication tokens, source '
'code)',
'type_of_data_compromised': 'Credentials, GitHub tokens, '
'repository files'},
'date_detected': '2026-04-30',
'description': 'Threat actors compromised the popular Python package *PyTorch '
'Lightning*, publishing two malicious versions (2.6.2 and '
'2.6.3) on April 30, 2026, as part of a broader software '
'supply chain attack. The campaign contained a hidden '
'`_runtime` directory with an obfuscated JavaScript payload '
'that executed automatically upon package import, downloading '
'the Bun JavaScript runtime and deploying an 11MB obfuscated '
'script (*router_runtime.js*) designed for credential theft. '
'The attack also modified local npm packages and used '
'validated GitHub tokens to inject worm-like payloads into '
'repositories.',
'impact': {'brand_reputation_impact': 'High (PyTorch Lightning, npm packages)',
'data_compromised': 'GitHub tokens, credentials, repository files',
'identity_theft_risk': 'High (credential harvesting)',
'operational_impact': 'Unauthorized code commits, malware '
'propagation, credential exposure',
'systems_affected': 'Python and npm package ecosystems, downstream '
'development environments'},
'initial_access_broker': {'backdoors_established': 'Malicious package '
'versions, postinstall '
'hooks',
'entry_point': 'Compromised PyTorch Lightning '
'GitHub account',
'high_value_targets': 'GitHub repositories, npm '
'packages'},
'investigation_status': 'Ongoing',
'motivation': 'Credential theft, malware propagation, supply chain compromise',
'post_incident_analysis': {'corrective_actions': 'Account security review, '
'package quarantine, '
'credential rotation',
'root_causes': 'Compromised GitHub account, supply '
'chain attack via package '
'repositories'},
'ransomware': {'ransomware_strain': 'CipherForce (proprietary, claimed by '
'TeamPCP)'},
'recommendations': 'Rotate exposed credentials, downgrade to safe package '
'versions, monitor for unauthorized repository changes, '
'enhance supply chain security for open-source packages',
'references': [{'source': 'Aikido Security'},
{'source': 'OX Security'},
{'source': 'Socket'},
{'source': 'StepSecurity'}],
'response': {'communication_strategy': 'Public advisories from maintainers '
'and security firms',
'containment_measures': 'PyPI quarantined malicious versions, '
'advised downgrade to 2.6.1',
'remediation_measures': 'Credential rotation, repository '
'cleanup, package downgrades',
'third_party_assistance': 'Aikido Security, OX Security, Socket, '
'StepSecurity'},
'stakeholder_advisories': 'PyTorch Lightning maintainers advised downgrading '
'to 2.6.1 and rotating credentials',
'threat_actor': 'TeamPCP',
'title': 'Malicious PyPI Versions of PyTorch Lightning Target Developers in '
'Supply Chain Attack',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Malicious package versions (PyTorch Lightning '
'2.6.2, 2.6.3; intercom-client 7.0.4)'}