Security researchers have identified malicious versions of popular Python packages PyTorch Lightning and intercom-client being used in coordinated supply chain attacks to steal developer credentials and propagate malware.
In a concerning development for the open-source community, security researchers have identified malicious versions of two widely-used packages targeting developers. The PyTorch Lightning framework and intercom-client npm package have both been compromised in what appears to be a coordinated supply chain attack designed to steal credentials and propagate malware across development environments.
The attack, identified by researchers from Aikido Security, OX Security, Socket, and StepSecurity, specifically targets versions 2.6.2 and 2.6.3 of PyTorch Lightning, both published on April 30, 2026. The campaign is assessed to be an extension of the "Mini Shai-Hulud" supply chain incident that previously targeted SAP-related npm packages. As of this writing, the compromised packages have been quarantined by administrators of the Python Package Index (PyPI) repository.
PyTorch Lightning is a high-level interface for PyTorch, one of the most popular deep learning frameworks in the Python ecosystem. The open-source project boasts more than 31,100 stars on GitHub and is used by thousands of researchers and developers worldwide.
"The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload," explained researchers at Socket. "The execution chain runs automatically when the lightning module is imported, requiring no additional user action after installation and import."
The attack chain begins with a Python script ("start.py") that downloads and executes the Bun JavaScript runtime, which then runs an 11MB obfuscated malicious payload ("router_runtime.js") designed for comprehensive credential theft. The malware validates harvested GitHub tokens against the "api.github[.]com/user" endpoint before using them to inject a worm-like payload into up to 50 branches from every repository the token can write to.
"Every poisoned commit is authored using a hardcoded identity designed to impersonate Anthropic's Claude Code," Socket added. "The operation is an upsert: it creates files that do not yet exist and silently overwrites files that do. No pre-check for existing content is performed."
The attack also implements an npm-based propagation vector that modifies local npm packages with a postinstall hook in the "package.json" file to invoke the malicious payload. It then increases the patch version number and repacks the .tgz tarballs, potentially leading to the tampered packages being published to npm and affecting downstream users.
In a related development, version 7.0.4 of intercom-client has been compromised using a similar modus operandi. The attack uses a preinstall hook to trigger the execution of credential-stealing malware, following the same pattern as the SAP packages targeted in the Mini Shai-Hulud campaign.
"The overlap is significant because the SAP CAP campaign was linked to TeamPCP activity based on shared technical details," researchers noted. "These include distinctive payload implementation patterns, GitHub-based exfiltration, credential harvesting across developer and CI/CD environments, and similarities to prior attacks affecting Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy."
The maintainers of PyTorch Lightning have acknowledged the incident, stating: "We are aware of the issue and are actively investigating." While the exact root cause remains unclear, indications suggest the project's GitHub account may have been compromised. The maintainers confirmed that "the affected versions have introduced functionality consistent with a credential harvesting mechanism."
For developers and organizations using these packages, immediate action is required. Security experts recommend blocking Lightning versions 2.6.2 and 2.6.3 and removing them from systems if already installed. Users should downgrade to the last known clean version, 2.6.1, and rotate any credentials that may have been exposed in affected environments.
The supply chain attack is attributed to the threat actor TeamPCP, which has recently established an onion website on the dark web after its account was suspended from X (formerly Twitter) for violating platform rules. The group has also claimed a connection to LAPSUS$, referring to them as "a good partner of ours and has been involved heavily throughout this entire operation."
This incident highlights the growing sophistication of supply chain attacks targeting open-source repositories. As developers increasingly rely on third-party packages, the potential impact of such compromises expands significantly. The attack on PyTorch Lightning, in particular, is particularly concerning given its widespread use in the machine learning and AI communities.
Security researchers emphasize the importance of package integrity verification, dependency scanning, and regular updates to security tools that can detect suspicious package behavior. Organizations should also consider implementing stricter controls around package installation and CI/CD pipeline security to mitigate the risk of supply chain attacks.
The incident serves as a reminder of the critical need for robust security practices in the open-source ecosystem, as well as the importance of maintaining vigilance when updating dependencies, especially during periods of active supply chain attacks.
Comments
Please log in or register to join the discussion