Critical Supply Chain Attack on PyTorch-Lightning Python Package
Key Takeaways A sophisticated supply chain attack has compromised versions 2.6.2 and 2.6.3 of the widely used lightning (PyTorch Lightning) Python package. The malicious packages automatically...
Key Takeaways
- A sophisticated supply chain attack has compromised versions 2.6.2 and 2.6.3 of the widely used
lightning(PyTorch Lightning) Python package. - The malicious packages automatically execute credential-stealing malware upon import, targeting developer systems, CI/CD pipelines, and cloud environments.
- GitHub maintainer accounts for the project appear to have been compromised, indicated by suspicious activity on issue threads.
- The attack is linked to the Team PCP campaign and shares similarities with the Shai-Hulud attack, focusing on exfiltrating GitHub, NPM, and cloud credentials.
- Immediate action is required for any system that installed or imported the affected versions, including downgrading and comprehensive credential rotation.
A critical supply chain attack has struck the Python deep learning framework lightning, a package integral to AI and machine learning workflows. This incident involves the compromise of specific package versions, leading to the automatic execution of credential-stealing malware and the apparent takeover of GitHub maintainer accounts.
Table Of Content
The affected package, known as lightning on PyPI, is the deep learning framework used for training, deploying, and shipping AI products. It boasts hundreds of thousands of daily downloads and millions of monthly installations, underscoring the potential widespread impact of this breach.
Researchers at Socket identified versions 2.6.2 and 2.6.3 as malicious just 18 minutes after their publication on April 30, 2026. Version 2.6.1, released on January 30, 2026, remains untainted and is considered the last secure iteration of the package.
The attack directly endangers developer workstations, continuous integration/continuous deployment (CI/CD) pipelines, and cloud build environments. Any system that has installed and subsequently imported the compromised versions is now considered at high risk.

Hidden Malware Execution Chain
Socket’s detailed analysis uncovered a concealed _runtime directory within the malicious packages. This directory contains a multi-stage execution chain designed to activate silently and automatically upon the module’s import, requiring no further user interaction. The identified components of this sophisticated attack include:
start.py: This script initiates the compromise by downloading and executing Bun, a JavaScript runtime, directly from GitHub.router_runtime.js: An 11 MB JavaScript payload, heavily obfuscated, forms the core of the malware. It contains extensive references toprocessandenv(703), tokens and authentication material (over 463), and repositories (336), indicating its data harvesting capabilities.- Daemon thread execution: The malware operates as a silent daemon thread, suppressing output to evade detection.
- Credential exfiltration: The primary objective is to steal sensitive credentials, including GitHub tokens, NPM tokens, cloud access keys (AWS, GCP, Azure), environment variables, and other secrets.
- GitHub API abuse: Stolen GitHub tokens are leveraged to commit encoded data to repositories controlled by the attackers.
- NPM package infection: The malware possesses the capability to inject malicious code into developer NPM package tarballs, establishing a persistent foothold.
The obfuscated router_runtime.js payload exhibits significant technical parallels with the Shai-Hulud attack campaign. These overlaps include identical patterns for targeting credentials, similar token theft logic, and shared obfuscation techniques, suggesting a common origin or shared toolkit.
This incident aligns with the escalating open-source supply chain campaign attributed to Team PCP. This group has previously compromised other prominent packages in quick succession, including LiteLLM (March 24, 2026), Telnyx (March 27, 2026), and Xinference.
During the incident response phase, an attacker posted a Tor onion link within the Lightning-AI GitHub issue thread. This link led to a Team PCP-branded website featuring a PGP-signed message that claimed LAPSUS$ was “a good partner” in the operation. Socket has not independently verified this attribution and is investigating whether the Team PCP branding is genuine, an opportunistic association, or a deliberate false-flag attempt.
GitHub Maintainer Account Appears Compromised
Reports from community members emerged in the Lightning-AI GitHub repository under issue #21689, titled “Possible supply chain attack on version 2.6.3.”

When Socket subsequently posted a follow-up warning in the pytorch-lightning repository, the issue was closed within one minute by the pl-ghost account. This account then posted a “SILENCE DEVELOPER” meme, strongly indicating that the project’s GitHub account has been compromised and is under attacker control.
What You Should Do
Security teams must consider any environment that has installed and imported lightning versions 2.6.2 or 2.6.3 to be fully compromised and should take immediate action:
- Remove Malicious Versions: Immediately uninstall versions 2.6.2 and 2.6.3 from all affected systems.
- Downgrade to Safe Version: Downgrade installations to version 2.6.1, which is confirmed clean, or await official guidance from the maintainers.
- Rotate All Credentials: Promptly rotate all potentially compromised credentials, including GitHub tokens, NPM tokens, cloud access keys (AWS, GCP, Azure), and any secrets stored in environment variables.
- Audit GitHub Repositories: Scrutinize GitHub repositories for any unauthorized commits or suspicious encoded data injections.
- Review Logs: Thoroughly review logs from CI/CD pipelines, developer workstations, and build systems where the compromised package may have been imported.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.