EN, Security Boulevard

Malicious PyTorch Lightning Packages Found on PyPI

Image with text "Pytorch Lightning Compromised" with icon of a skull next to it

TL;DR

  • Two malicious versions of the popular PyTorch Lightning package have been uploaded to PyPI following the publisher account’s compromise.

  • Lightning versions 2.6.2 and 2.6.3 (tracked as sonatype-2026-002817) were published on April 30, 2026, containing embedded malicious code that gathers developer credentials and publishes infected package versions.

  • If downloaded, these malicious versions have likely already done their damage — if you are unsure, verify that your build processes are using version 2.6.1.

The widely used pytorch-lightning package has been hijacked by malicious actors, resulting in two malicious versions (2.6.2 and 2.6.3) publishing on the PyPI registry on April 30, 2026. The packages are designed to steal developer credentials and republish malicious versions of the repositories to which stolen tokens have access.

This is yet another escalation in a series of self-propagating open source malware attacks that are designed to steal credentials, spread rapidly, and overwhelm open source repositories.

What Happened

On April 30, 2026, two back-to-back releases of the lightning package were published to PyPI:

  • lightning 2.6.2

  • lightning 2.6.3 (published just 13 minutes later)

The project’s maintainers released an advisory detailing the incident. Both versions were uploaded by the same publisher and researchers believe are part of a coordinated attack. Despite minimal differences between the releases, both contained the same malicious payload.

Critically, version 2.6.3 was not a fix. It retained the full malicious functionality while slightly modifying metadata and loader behavior to evade detection.

Technical Analysis: How the Attack Works

The attack is triggered automatically when the package is imported:

  • A modified __init__.py file launches a background process.

  • The process executes silently with no visible output.

  • Users receive no indication of compromise.

This means simply importing the package is enough to activate the malware.

Obfuscated Multi-Cloud Credential Harvester

The package includes a large (11 MB) obfuscated JavaScript file that uses heavy hex-encoded variable obfuscation to evade static analysis and executes via a bundled runtime loader.

The payload targets a wide range of services, including:

  • AWS (IMDS, STS, Secrets Manager).

  • Azure (AD, Key Vault, Service Fabric).

  • Google Cloud (OAuth, metadata services, KMS).

  • GitHub APIs.

  • Local environment variables and credential files.

The intent is to harvest credentials across multi-cloud and developer environments.

Secondary Payload Execution

The package includes a Python bootstrapper that downloads a runtime (Bun) from GitHub if not present, executes the malicious JavaScript payload, and runs in the background without blocking execution.

Additionally, the malware attempts to download and execute a second-stage payload from attacker-controlled infrastructure, increasing the potential impact.

Why This Attack Matters

Compromised Package, Not a Fake

Unlike traditional typosquatting attacks, this incident involves a compromised version of a legitimate, widely used package.

This makes it significantly more dangerous because: