PyTorch Lightning Supply Chain Attack Unveils Credential‑Theft Malware

A coordinated software supply‑chain assault has compromised the widely used Python library PyTorch Lightning, marking a fresh ↓ 2 versions of the PyTorch Lightning supply chain attack that injects credential‑stealing code.

Details of the PyTorch Lightning supply chain attack

Security firms Aikido, OX, Socket and StepSecurity traced the malicious uploads to versions 2.6.2 and 2.6.3, both published on April 30, 2026. The packages were signed, yet the payload concealed a routine that harvests API keys and service tokens from the host environment.

“The malicious code activates only after a short delay, making detection by standard static analysis tools extremely difficult,” said a researcher at Reuters.

Experts warn that downstream projects that depend on PyTorch Lightning may inadvertently distribute the backdoor to end‑users. Immediate remediation steps include purging the tainted releases, updating to the patched 2.6.4 version, and scanning CI pipelines for unexpected network calls.

For a broader view of the threat, see the analysis published by Bloomberg, which highlights a rising trend of credential‑theft vectors in open‑source ecosystems.

Words by: Isla Thorne

Guest Technology Correspondent
(Note: Isla Thorne is covering this desk while Nova Stirling is recovering from the flu.)