PyTorch Lightning Attack: Supply Chain Risk Revealed

Discover the details of the PyTorch Lightning supply chain attack: malicious versions, npm propagation, and AI impersonation. Here's what to know.

PyTorch Lightning Attack: Supply Chain Risk Revealed

With over 31,100 stars on GitHub, the renowned open-source project PyTorch Lightning was hit today, April 30, 2026, by a severe supply chain attack. Versions 2.6.2 and 2.6.3 of the Python package lightning were published with malicious code, turning developers' machines into infection vectors and stealing GitHub credentials.

PyTorch Lightning Compromise: The Attack Vector

The event materialized on April 30, 2026, with the publication of the compromised versions on PyPI. The previous version, 2.6.1 released on January 30, 2026, is considered clean and represents the last safe baseline before the infection.

The Socket security scanner detected the malicious versions only 18 minutes after their publication, a rapid reaction time that nonetheless left an initial exposure window. According to Socket's analysis, "The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload. The execution chain runs automatically when the lightning module is imported, requiring no additional user action after installation and import."

Automatic Execution and GitHub Credential Theft

The malware's execution chain exploits a hybrid architecture that transcends the boundaries of the Python ecosystem alone. Upon module import, the Python script start.py downloads and executes the Bun JavaScript runtime, which in turn processes the obfuscated malicious payload router_runtime.js, notable for its size of 11 MB.

This payload is designed for mass credential theft. Inside the obfuscated code, over 703 references to processes and environment variables were identified, along with more than 463 references to tokens and authentication materials, and 336 references to repositories. Stolen GitHub tokens are validated by the attacker against the api.github[.]com/user endpoint.

Once access is secured, the malware uses the tokens to inject a worm-type payload into up to 50 branches for each repository with write access. As explained by Socket, "The operation is an upsert: it creates files that do not yet exist and silently overwrites files that do. No pre-check for existing content is performed."

AI Impersonation and Local npm Propagation

The most relevant angle of this campaign lies in the evolution of social obfuscation and local propagation techniques. Each poisoned commit is signed using a hardcoded identity created to impersonate Anthropic's Claude Code. This suggests that attackers are leveraging developers' trust in AI-based coding tools to mask malicious changes in repositories.

In parallel, the malware implements an npm propagation vector targeting the developer's local environment. The code modifies npm packages present on the victim's machine, adding a postinstall hook in the package.json file to automatically invoke the malicious payload upon each installation. It is likely that this dual Python/npm propagation aims to maximize the malware's persistence within development environments.

Dynamics of Compromise and Team PCP Context

The GitHub account of the Lightning-AI project shows clear signs of compromise. A community member initially reported the anomaly in a GitHub issue, although sources report inconsistent numbers for this initial report (issue #21691 according to one source, #21689 according to others). After Socket opened a subsequent warning issue, it was closed in just one minute by the pl-ghost account, which posted the "SILENCE DEVELOPER" meme. The project maintainers, however, stated: "we are aware of the issue and are actively investigating."

The attack is considered an extension of the "Mini Shai-Hulud" campaign and is attributed to Team PCP. This group had previously compromised LiteLLM on March 24, 2026, and Telnyx on March 27, 2026. An attacker also posted a Tor onion link in the GitHub thread claiming LAPSUS$ involvement as a partner, an attribution that Socket has not yet independently verified. In response to the incident, PyPI administrators quarantined the project.

Frequently Asked Questions

Which versions of the lightning package are safe?
Version 2.6.1, published on January 30, 2026, is considered clean and the last safe baseline. Versions 2.6.2 and 2.6.3 from April 30, 2026, are malicious, and the package is now quarantined on PyPI.
How does the developer system infection occur?
The infection occurs automatically upon importing the lightning module. The Python script downloads the Bun runtime, which executes an 11 MB JavaScript payload to steal tokens and insert a postinstall hook into local npm packages.
Why are poisoned commits difficult to spot at first glance?
The commits injected by the worm are signed with an identity designed to impersonate Anthropic's Claude Code, exploiting trust in AI tools to mask the malicious changes.

This article is a summary based exclusively on the listed sources.

Sources