PyTorch Lightning on PyPI Compromised — Versions 2.6.2/2.6.3

Colleagues, a cybersecurity alert: PyTorch Lightning on PyPI has been compromised — versions 2.6.2/2.6.3 published.
- Researchers found a loader and obfuscated JS that, on import, downloads Bun and a payload to exfiltrate credentials.
- The malware validates GitHub tokens via api.github.com/user and injects commits; an npm vector uses postinstall and hijacks local packages.
- PyPI has quarantined the project. Recommendations: block/remove 2.6.2/2.6.3, revert to 2.6.1, and rotate credentials.
Why it matters: supply‑chain infections propagate rapidly downstream.
How will you verify your environments?
#cybersecurity #supplychain #PyPI #DevSecOps


Latest comments
No comments yet.