PyTorch Lightning Hit by Supply Chain Attack: Malicious Versions Steal User Credentials

Incident Overview

The popular Python deep learning framework PyTorch Lightning (package name: lightning), widely used by AI developers, has fallen victim to a supply chain attack. Threat actors successfully compromised the project's publishing channel on PyPI (Python Package Index) and pushed two versions containing malicious code aimed at stealing user credentials.

According to a joint disclosure by three security firms — Aikido Security, Socket, and StepSecurity — the compromised versions were 2.6.2 and 2.6.3, both uploaded to PyPI on April 30, 2025. The incident has been assessed as a continuation of a recent series of supply chain attacks targeting the AI/ML ecosystem.

Attack Methodology Analysis

PyTorch Lightning is a high-level wrapper framework built on top of PyTorch, designed to simplify the training process for deep learning models. It enjoys extremely high adoption rates in AI research and engineering, with over 28,000 GitHub stars. This popularity made it a high-value target for attackers.

The core technique used in this attack is a classic case of "software supply chain poisoning." The attackers gained access to the project maintainer's PyPI publishing credentials through undisclosed means and subsequently uploaded tampered package versions. Malicious code was embedded in the installation or runtime workflow. When developers installed or updated to the compromised versions via pip install, the malicious code would automatically execute, collecting and exfiltrating user credentials — including but not limited to API keys in environment variables, cloud service access tokens, and other sensitive data.

Notably, the attackers' versioning strategy was particularly cunning — 2.6.2 and 2.6.3 appeared to be normal iterative updates, making them easily accepted by automated dependency management tools or developers who didn't scrutinize the releases.

Impact Scope and Response Measures

The affected malicious versions have since been removed from the PyPI platform. Security agencies recommend all PyTorch Lightning users take the following actions immediately:

• Check installed versions: Run pip show lightning to confirm your current version number. If it is 2.6.2 or 2.6.3, uninstall immediately and reinstall a verified safe version.
• Rotate all credentials: If you ever installed a compromised version, assume all environment variables and credentials have been exposed. Immediately rotate all API keys, cloud service tokens, and related passwords.
• Audit CI/CD pipelines: Check whether any automated build and deployment workflows may have pulled the malicious versions.
• Enable version pinning: Use exact version numbers in requirements.txt or pyproject.toml, along with hash verification.

Another Wake-Up Call for AI Open-Source Security

This is far from the first supply chain attack in the AI/ML space. In recent years, from the spoofing of PyTorch's official torchtriton package to the discovery of malicious serialized models in Hugging Face model repositories, attacks targeting AI developers have been on the rise.

Attackers are well aware that AI developers' working environments often contain high-value assets — access keys to cloud computing platforms, tokens for model training APIs, database connection credentials, and more. Once these credentials are compromised, the consequences can range from unauthorized use of computing resources to training data leaks and loss of model assets.

Security experts point out that supply chain security in the current AI open-source ecosystem faces three major challenges: first, identity verification mechanisms on package management platforms still have room for improvement; second, security awareness among developers varies widely, with many teams lacking dependency auditing processes; and third, the dependency chains in AI projects are growing increasingly complex, continuously expanding the attack surface.

Looking Ahead

This incident once again underscores that infrastructure security cannot be overlooked amid the rapid development of AI. The industry is driving several improvement initiatives, including PyPI's mandatory two-factor authentication, Sigstore code signing verification, and the widespread adoption of Software Bill of Materials (SBOM).

For AI development teams, incorporating supply chain security into everyday development practices is now an urgent priority. It is recommended to adopt dependency scanning tools (such as Socket, Snyk, etc.), establish private mirror repositories, and conduct regular security audits of critical dependencies. Only by building a multi-layered defense system can teams effectively counter the increasingly severe supply chain threats while continuing to benefit from open source.