PyTorch Lightning package compromised in supply-chain attack

Multiple security reports describe a supply-chain compromise of the PyPI package "lightning" (the PyTorch Lightning framework). Socket's Research Team flagged lightning versions 2.6.2 and 2.6.3 as malicious, according to reporting by The Hacker News and cybersecuritynews. Cybersecuritynews reports that Socket flagged the builds just 18 minutes after publication on April 30, 2026, and that 2.6.1 remains the last known clean baseline. The Hacker News reports that PyPI administrators have quarantined the project. The Hacker News also reports that project maintainers said "we are aware of the issue and are actively investigating."

Socket's analysis, as reported by The Hacker News and cybersecuritynews, shows the malware inserts a hidden _runtime directory and modifies __init__.py so a background thread launches a start.py helper on import. Aikido's writeup reproduces the import-time thread snippet and describes start.py downloading the Bun JavaScript runtime (reported to be v1.3.13) and executing an obfuscated router_runtime.js payload of about 11 MB. Socket told reporters, "The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload." The combined reporting documents credential-harvesting code paths that target GitHub tokens, npm tokens, cloud credentials (AWS, GCP, Azure), environment files, SSH keys, shell histories, Kubernetes and Docker credentials, and multiple cryptocurrency wallets (sources: Aikido, cybersecuritynews, The Hacker News).

Industry-pattern observations: supply-chain campaigns increasingly use import-time execution and multi-stage bootstrap loaders that pull a platform-specific runtime, then run a large obfuscated payload. Public coverage links this incident to the "Mini Shai-Hulud" campaign and to prior Team PCP activity, per Aikido and cybersecuritynews. Similar incidents have used npm and container registries as lateral propagation vectors; The Hacker News describes an npm infection vector here that modifies local package.json postinstall hooks and repacks .tgz tarballs to propagate if an infected developer publishes packages.

lightning is a widely used convenience framework for PyTorch workflows. Cybersecuritynews reports the package has "hundreds of thousands of daily downloads and millions of monthly installations" on PyPI, making this a high-impact dependency for ML practitioners and CI pipelines. The combination of import-time execution, GitHub token theft, and automated commit logic that can write to multiple branches elevates the incident beyond a single-machine compromise because stolen tokens validated against the GitHub API can be abused to plant additional backdoors in repositories (source: The Hacker News, Socket analysis).

For practitioners: monitor security advisories from PyPI and your package management tooling for quarantined or replaced releases. Industry observers should watch for follow-on activity that uses harvested tokens to modify repositories or publish poisoned packages to other registries, as described by The Hacker News and Socket. Audit CI secrets and any recent tokens issued from developer machines or compromised CI runners; validate whether any automated commits appear authored using impersonated identities, as Socket's reporting indicates the malware authors used a hardcoded identity to impersonate a known vendor in poisoned commits.

Editorial analysis: this incident underscores an ongoing pattern where attacker-controlled runtimes (here, Bun plus an obfuscated JS payload) are used to unify cross-platform credential theft and registry propagation. For teams relying on popular ML dependencies, the practical risk vector is not only local developer compromise but also contamination of CI/CD artifacts and downstream packages.