PyTorch Lightning package hit by PyPI malware

// 51d agoSECURITY INCIDENT

PyTorch Lightning package hit by PyPI malware

ANNOUNCEMENT PRODUCT GITHUB PRODUCT HUNT

Versions 2.6.2 and 2.6.3 of the `lightning` package used for training PyTorch models were reported as malicious after a supply-chain compromise. The injected code runs on import, starts a background payload, and is designed to steal developer credentials, cloud secrets, shell history, SSH keys, and other sensitive artifacts. Because the package is widely used in AI training workflows, the incident poses a broad risk to local dev environments, CI systems, and downstream projects that pinned or auto-upgraded to the affected releases.

// ANALYSIS

This is the kind of supply-chain hit that matters because it weaponizes normal developer behavior: install a training library, import it, and you may already be compromised.

–The attack surface is broad because the payload executes at import time, before application logic has a chance to guard against it.
–The stolen data set is operationally serious: cloud creds, GitHub tokens, SSH keys, and wallet material can all lead to secondary compromise.
–AI/ML teams are especially exposed because training dependencies often run in privileged notebooks, CI jobs, and shared GPU environments.
–The immediate mitigation is straightforward: avoid `lightning==2.6.2` and `2.6.3`, rotate exposed credentials, and review machines and pipelines that imported those versions.

// TAGS

pytorch-lightninglightningpypimalwaresupply-chaincredential-theftai-securityopen-source

DISCOVERED

51d ago

2026-04-30

PUBLISHED

51d ago

2026-04-30

RELEVANCE

10/ 10

AUTHOR

j12y

// KEEP READING

More AI developer news from the feed

EXPLORE FULL FEED

VIDEO47m ago

Claude Code, Bun creators demo autonomous loops

This 20-minute talk by Boris Cherny (Head of Claude Code at Anthropic) and Jarred Sumner (creator of Bun) details their transition from manual coding to fully autonomous developer workflows. They showcase "RoboBun," an agentic setup using Claude Code to reproduce issues, generate regression tests, and manage pull requests, illustrating how developers are shifting from simple chatbot prompts to multi-agent parallel loops for code maintenance.

MODEL1h ago

Gemma 4 12B Fable 5 Composer 2.5 drops

Gemma 4 12B Agentic Fable 5 Composer 2.5 is a community-developed fine-tune of Google's Gemma 4 12B instruct model, optimized for local coding, tool use, and multi-step agentic workflows. Leveraging distilled reasoning traces, the model claims a 3.5x improvement over the base model on local telecom benchmarks, bringing high-fidelity reasoning capabilities to local developer setups.

NEWS2h ago

Givros asks if GPT-5.6 hits OpenAI Codex

AI creator Givros publicly asked OpenAI's Head of Codex Thibault Sottiaux whether the rumored GPT-5.6 model will be integrated into the Codex coding agent platform immediately upon its release. The question underscores the intense community interest in how quickly OpenAI will roll out new model capabilities to its developer tools amidst rumors of GPT-5.6's testing and impending launch.