PyTorch Lightning PyPI package pushed credential-stealing releases
Attackers published malicious PyTorch Lightning versions 2.6.2 and 2.6.3 to PyPI on April 30, 2026; the packages install a hidden downloader and obfuscated JavaScript that harvests credentials.
PyTorch Lightning’s package on the Python Package Index was compromised on April 30, 2026, when attackers published malicious versions 2.6.2 and 2.6.3. PyPI administrators have quarantined the project. The project’s maintainers acknowledged the incident and said they are investigating. Security firms Aikido Security, OX Security, Socket and StepSecurity reported the tampered releases.
The malicious releases include a concealed _runtime directory that deploys a downloader and an obfuscated JavaScript component. The attack chain runs automatically when the lightning module is imported, so no further user action is required after installation and import. An initial Python script named start.py downloads the Bun JavaScript runtime and uses it to execute an approximately 11 MB obfuscated payload called router_runtime.js. That payload is configured to collect credentials from developer machines and CI/CD environments.
Captured GitHub tokens are validated against the api.github.com/user endpoint before being reused to inject a worm-like payload into repositories where the token grants write access. The code performs an upsert on target branches, creating files that do not exist and overwriting existing files without checking content. Investigators say the exploit can modify as many as 50 branches per writable repository. Many poisoned commits use a hardcoded author identity that imitates Anthropic’s Claude Code.
The campaign also includes an npm-based propagation vector that tampers with a developer’s local packages. The malware injects a postinstall hook into package.json, increments the patch version, repacks the .tgz tarball, and leaves the local environment in a state where a subsequent publish could push the compromised package to npm and reach downstream users.
Investigators have not confirmed how attackers first gained access, but indicators point to a compromised GitHub account for the project as a likely entry. Analysts connect the incident to a broader supply chain campaign dubbed Mini Shai-Hulud, which used similar preinstall and postinstall hooks and credential-harvesting techniques. The activity has been associated with a threat actor tracked as TeamPCP.
Security teams recommend immediate mitigation: remove versions 2.6.2 and 2.6.3 from developer machines and CI pipelines, downgrade to the last known clean release (2.6.1), and rotate any credentials that may have been exposed.
“The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload,” Socket described. “The execution chain runs automatically when the lightning module is imported, requiring no additional user action after installation and import.” Maintainers wrote, “we are aware of the issue and are actively investigating.”
