Supply Chain Attack on PyTorch Lightning Discovered

In a recent cybersecurity incident, attackers compromised the popular Python package Lightning. According to reports from Aikido Security, OX Security, Socket, and StepSecurity, two malicious versions, 2.6.2 and 2.6.3, were released on April 30, 2026. This attack aims to steal user credentials. The affected versions were distributed via the official package manager PyPI.

Users who have installed these versions may now be at risk, as the attackers may have gained access to sensitive information. Security researchers have identified the malicious changes in the packages and are warning about the potential risks. The attackers designed the malicious versions to masquerade as regular updates, making it difficult for users to detect that they have installed a compromised version. Security researchers recommend checking installed versions and reverting to safe versions if necessary.

The attack on Lightning is part of a larger trend of software supply chain attacks that have increased in recent years. Such attacks aim to exploit vulnerabilities in widely used software packages to spread malware or steal data. The security community has increasingly highlighted these threats in recent months. Researchers from Aikido Security have noted that the attackers are specifically targeting developers and companies that rely on the Lightning library. This library is commonly used for machine learning and AI applications, making it an attractive target for cybercriminals.

The impact of such attacks can be significant, especially when they occur in production environments. To minimize risks, experts advise regularly monitoring the use of software packages and promptly installing security updates. Additionally, developers and companies should ensure that they only use trusted sources for software downloads. Security researchers have already taken steps to remove the malicious versions from PyPI. The incidents surrounding the malicious versions of Lightning underscore the need for a robust security strategy in software development.

Companies should consider implementing additional security measures to protect their systems from such attacks. These measures include code reviews and the use of security tools to detect malware. The vulnerability exploited by this attack could also affect other software packages. Experts warn that similar attacks on other widely used libraries are possible. The security community remains vigilant and is working to minimize the impact of such attacks.

The affected versions of Lightning are currently no longer available, and security researchers are working to identify the attackers. The exact number of affected users is still unclear; however, it is estimated that several thousand developers may be at risk. Security researchers advise all users to promptly check their systems and take appropriate action if necessary. The incidents surrounding the malicious versions of Lightning are further evidence of the ongoing challenges in cybersecurity. Companies and developers must be aware of the risks and take proactive steps to protect their systems. The security community will continue to work on educating and preventing such attacks. Researchers from Aikido Security have classified the malicious versions as Credential Theft and warn of the potential consequences for users.