PyTorch Lightning Compromised on PyPI to Steal Developer Secrets

The TeamPCP threat group has compromised PyTorch Lightning, one of the most popular Python frameworks for machine learning development. Two malicious versions—2.6.2 and 2.6.3—were published to PyPI on April 30, 2026, containing credential-stealing malware that executes automatically when developers import the package.

Lightning receives millions of downloads per month, making this among the highest-impact PyPI supply chain attacks of the year. The malicious versions have been removed, but any organization that installed them during the attack window needs to rotate affected credentials immediately.

How the Attack Worked

The compromise introduced a hidden _runtime directory containing a downloader and obfuscated JavaScript payload. Unlike typical supply chain attacks requiring explicit execution, this one triggered automatically upon import—no additional user action needed.

The execution chain started with a Python script (start.py) that downloaded the Bun JavaScript runtime from GitHub. Bun then executed an 11MB obfuscated payload (router_runtime.js) that conducted comprehensive credential harvesting across the compromised system.

The malware validated stolen GitHub tokens against the api.github.com/user endpoint before exfiltration, confirming they were live credentials rather than expired or revoked tokens.

What Was Stolen

The payload targeted a broad range of developer secrets:

• GitHub tokens - Validated and used for secondary propagation
• SSH private keys - Enabling lateral movement across infrastructure
• Cloud credentials - AWS, Azure, GCP configuration files
• Kubernetes configs - Service account tokens and cluster access
• Docker credentials - Registry authentication
• npm tokens - Package publishing access
• Environment files - Any .env containing API keys

This targeting profile matches the pattern we've seen in other TeamPCP supply chain operations, focusing on credentials that enable further compromise of development infrastructure.

The Worm-Like Propagation

What makes this attack particularly concerning is its self-propagating design. According to Aikido Security's analysis, poisoned commits were authored using a hardcoded identity designed to impersonate Anthropic's Claude Code.

Stolen GitHub tokens enabled the malware to inject payloads into up to 50 branches per compromised repository. The malware also modified local npm packages via postinstall hooks, incrementing patch versions and repacking tarballs. Developers who unknowingly published these tampered packages spread infection downstream.

This cascade effect mirrors the technique TeamPCP used in their Checkmarx KICS compromise earlier this year, where tokens stolen from one breach enabled attacks on entirely separate organizations.

Detection and Timeline

Multiple security firms detected the compromise independently:

• Socket's AI scanner flagged both malicious versions within 18 minutes of publication
• Aikido Security, OX Security, and StepSecurity published concurrent analyses
• PyPI quarantined the Lightning package and deleted versions 2.6.2 and 2.6.3
• The quarantine has since been lifted; version 2.6.1 is the latest safe release

The rapid detection limited the attack window, but Lightning's download volume means thousands of installations likely occurred during those 18 minutes.

Cascade to Other Ecosystems

The compromise didn't stay contained to Python. The Hacker News reports that related attacks hit packages in other ecosystems:

• intercom-client (npm v7.0.4) - Similar credential-stealing mechanism
• intercom-php (Packagist v5.0.2) - Adapted for PHP using Composer plugins

The connection? Intercom's local installation of pyannote-audio included Lightning as a transitive dependency. The compromise cascaded through the dependency tree, demonstrating how a single backdoored package can spread across multiple ecosystems.

Remediation Steps

Organizations that use PyTorch Lightning should take immediate action:

1. Check your installed version - Run pip show lightning and verify you're not on 2.6.2 or 2.6.3
2. Rotate all credentials - If you installed a malicious version, assume all credentials on that system are compromised
3. Audit GitHub repositories - Check for unauthorized commits or new branches
4. Review npm packages - Verify local packages weren't modified with malicious postinstall hooks
5. Scan CI/CD pipelines - Especially GitHub Actions runners that may have been exposed

For organizations building AI applications with Lightning, this incident reinforces the importance of dependency pinning and verification. The same frameworks that accelerate development create concentrated targets for attackers.

Why This Matters

TeamPCP has been systematically targeting developer tools throughout 2026. They hit Trivy, then LiteLLM, then Checkmarx KICS, and now PyTorch Lightning. Each attack feeds into the next—credentials stolen from one breach enable access to new targets.

The group's focus on AI and ML frameworks is deliberate. These tools run in environments rich with cloud credentials, API keys, and CI/CD secrets. A single compromised machine learning engineer's workstation can provide access to training infrastructure, model registries, and production deployment pipelines.

Supply chain security isn't a checkbox—it's an ongoing operational concern. Organizations should consider tools like Socket or Aikido for automated dependency scanning, and ensure their incident response plans account for credential compromise through third-party packages.