VMTech
+381 11 4150 20024/7 Discuss a project
← All Instagram insights VMTECH · INSTAGRAM

PyTorch Lightning on PyPI Compromised — Versions 2.6.2/2.6.3

PyTorch Lightning на PyPI скомпрометирован — версии 2.6.2/2.6.3

Colleagues, a cybersecurity alert: PyTorch Lightning on PyPI has been compromised — versions 2.6.2/2.6.3 published.

- Researchers found a loader and obfuscated JS that, on import, downloads Bun and a payload to exfiltrate credentials.
- The malware validates GitHub tokens via api.github.com/user and injects commits; an npm vector uses postinstall and hijacks local packages.
- PyPI has quarantined the project. Recommendations: block/remove 2.6.2/2.6.3, revert to 2.6.1, and rotate credentials.

Why it matters: supply‑chain infections propagate rapidly downstream.

How will you verify your environments?

#cybersecurity #supplychain #PyPI #DevSecOps

Latest comments

No comments yet.