PyTorch Lightning Compromised in Recent Supply Chain Attack

Cyber attackers have targeted the widely used Python package, PyTorch Lightning, managing to release two malicious updates aimed at stealing user credentials. The malicious versions, labeled 2.6.2 and 2.6.3, were made available on April 30, 2026. Reports from cybersecurity firms, including Aikido Security and OX Security, indicate that this is a part of ongoing supply chain attacks, which have become a significant concern for software integrity. Users of PyTorch Lightning are advised to check their installed versions and update their software to mitigate potential threats.