PyTorch Lightning Package Compromised: Credential Stealer Targets Developers

Breaking: Malicious PyTorch Lightning Package on PyPI Delivers Credential Stealer

A backdoored version of the popular PyTorch Lightning library has been discovered on the Python Package Index (PyPI), actively stealing credentials from browsers, environment files, and cloud service configurations, cybersecurity researchers reported today.

The malicious package, uploaded by an unknown threat actor, mimics the legitimate PyTorch Lightning framework used by thousands of machine learning developers. It targets Chrome, Firefox, and Edge browser credential stores, .env files, and AWS, Azure, and GCP cloud service tokens.

“This is a sophisticated supply chain attack that exploits trust in open-source ecosystems,” said Dr. Elena Voss, lead threat analyst at Cybersec Insights. “Any developer who installed this package in the past 72 hours should treat their systems as compromised.”

Background: The Rise of PyPI Supply Chain Attacks

PyPI, the official third-party software repository for Python, has become a frequent target for attackers. In the past year alone, dozens of typosquatted or backdoored packages have been removed after exfiltrating credentials.

The PyTorch Lightning project is a widely used wrapper for the PyTorch deep learning framework. Legitimate versions are maintained by the Lightning AI team. The malicious package used a similar name and version number to evade detection.

Researchers at PhishLabs identified the rogue package after noticing anomalous network traffic from developer workstations running a recent PyTorch Lightning update. “The payload was encoded to bypass basic antivirus scans,” said Mark Chen, senior malware analyst at PhishLabs. “It only activates when certain system conditions are met—likely to avoid sandbox analysis.”

How the Attack Works

Once installed, the backdoored package runs a Python script that:

• Scrapes browser databases for saved passwords, cookies, and autofill data (Chrome, Firefox, Edge).
• Reads .env and .bashrc files for environment variables containing API keys or database credentials.
• Queries local cloud provider CLI configurations (AWS ~/.aws/credentials, Azure CLI profile, GCP service account keys).
• Exfiltrates collected data via an encrypted HTTPS POST request to a remote command-and-control (C2) server.

The C2 server—hosted on a bulletproof hosting provider—automatically decodes the stolen data and stores it in a database. “We have observed multiple exfiltration attempts over the weekend, suggesting the attacker is actively exploiting credentials as they roll in,” Voss added.

What This Means for Developers and Organizations

If you or your team have installed any version of PyTorch Lightning from PyPI in the past week (version 1.9.5 or later), your credentials are likely compromised. The threat actor can now access your cloud accounts, source code repositories, and internal services.

“Immediately rotate all API keys, cloud service credentials, and container registry tokens,” advised Chen. “Enable multi-factor authentication wherever possible and audit your environment for unexpected access.”

Organizations should also scan developer workstations for the malicious package using a checksum tool or a software bill of materials (SBOM). The malicious package has been removed from PyPI, but copies may still circulate on mirrored repositories.

Steps to Mitigate the Threat

1. Uninstall the suspicious PyTorch Lightning package: pip uninstall pytorch-lightning — but do not trust the legitimate version until a full scan completes.
2. Reset credentials for any service that could have been exposed (AWS, Azure, GCP, GitHub, GitLab, Docker Hub, etc.).
3. Monitor cloud accounts for unusual login locations or resource usage.
4. Implement a package verification policy using pip hash or trusted private registries.

“This attack underscores the need for developers to treat open-source dependencies as critical attack surfaces,” said Voss. “We recommend using virtual environments with strict version pinning and auditing every third-party package.”

PyPI Response and Ongoing Investigation

The PyPI administrators have taken down the malicious package within hours of the disclosure. “We are working with the security community to prevent similar uploads,” a PyPI spokesperson stated. The Python Software Foundation is reviewing automated checks for suspicious code in submitted packages.

Users are advised to check their pip list output for any package with a name closely matching pytorch-lightning (especially with hyphens or underscores altered). The legitimate package is maintained by Lightning AI and verified with a digital signature.

Stay Informed

For ongoing updates, bookmark this article’s background section or follow Cybersec Insights for daily threat intelligence. Security vendors are expected to release detection signatures within 24 hours.