惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Vulnerabilities – Threatpost
aimingoo的专栏
aimingoo的专栏
B
Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
GbyAI
GbyAI
阮一峰的网络日志
阮一峰的网络日志
Engineering at Meta
Engineering at Meta
IT之家
IT之家
V
Visual Studio Blog
The Cloudflare Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
A
About on SuperTechFans
博客园 - 聂微东
Blog — PlanetScale
Blog — PlanetScale
N
News and Events Feed by Topic
A
Arctic Wolf
WordPress大学
WordPress大学
小众软件
小众软件
C
CERT Recently Published Vulnerability Notes
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
D
Darknet – Hacking Tools, Hacker News & Cyber Security
F
Fortinet All Blogs
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Y
Y Combinator Blog
T
Threat Research - Cisco Blogs
Latest news
Latest news
Simon Willison's Weblog
Simon Willison's Weblog
Cyberwarzone
Cyberwarzone
S
Schneier on Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
L
Lohrmann on Cybersecurity
Stack Overflow Blog
Stack Overflow Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Privacy International News Feed
J
Java Code Geeks
Spread Privacy
Spread Privacy
宝玉的分享
宝玉的分享
I
Intezer
L
LangChain Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
G
GRAHAM CLULEY
博客园 - 叶小钗
博客园 - 三生石上(FineUI控件)
The GitHub Blog
The GitHub Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
AWS News Blog
AWS News Blog
Attack and Defense Labs
Attack and Defense Labs
Security Archives - TechRepublic
Security Archives - TechRepublic
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

2024 Sonatype Blog

Open Source, Open Infrastructure, and the Space Between Request for Comments: CARE and Maven Central Q2 2026 Open Source Malware Index AI Is Forcing a New Open Source Security Model Vulnerability Prioritization Is Missing the AI-Era Point The Hidden National Security Threat Inside AI-Driven Software Miasma Returns: Leo Platform Compromise in npm The Rise of Collective Defense for Open Source Signal Over Noise: Reachability Analysis Is the Reality Check SCA Has Been Missing Software Security Has to Start at Assembly easy-day-js Targets Mastra, Dependency Attacks Grow Open Publishing, Commercial Scale Software Dependency Cooldowns Are a Symptom, Not a Strategy Atomic Arch npm Campaign Adds Malicious Dependency From SBOMs to AI BOMs: Why SPDX 3.0 Matters Mythos Found 10,000 Vulnerabilities. The Bigger Challenge Is Fixing Them New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages Lazarus Group's Latest: Brandjacking Campaign on npm 5 Steps to Turn Your RMF Backlog Into a Continuous ATO: The CSRMC Migration Playbook The AI Race Is Becoming a Remediation Race Red Hat Cloud Services npm Packages Hijacked Inside a 176-Package npm Campaign Built to Beat Your Internal Dependencies AI Is Making Software Autonomous, and Governance Must Follow Your Outdated Repository Still Works, But It May Not Be Safe Hijacked npm Package Attempts to Deliver PolinRider-Linked RAT AppSec Tools Explained: SAST vs SCA vs DAST | Sonatype Managing Open Source Software Risks With the HeroDevs EOL Dashboard Shai-Hulud is Back: Maintainer Accounts Are Still the Soft Target Building Trusted AI Development With Kiro and Sonatype Guide How to Build a Software Supply Chain Security Playbook The Evolution of Open Source Malware: From Volume to Trust Abuse The Mythos AI Vulnerability Storm: What to Do Next Why Developer Experience Is the Foundation of DevSecOps Success Open is Not Costless: Reclaiming Sustainable Infrastructure Q1 Updates in Nexus Repository: More Formats, Stronger Operations, and a Better Day-to-Day Experience Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths The Time Is Now to Prepare for CRA Enforcement Sonatype Innovate: Real Peer Connections, Real Product Influence, Real Recognition Mythos and the AI Vulnerability Storm: Exploring the Control Point When AI Writes Code, Who Governs the Dependencies? Why Software Supply Chain Security Requires a New Playbook Q1 2026 Open Source Malware Index: Adaptive Attacks Exploit Trust Modernizing Nexus Repository: Moving Beyond OrientDB AI, DevSecOps, and the Future of Application Security: The Gartner® Report How Sonatype's Container Scanning Protects You From Zero-Days Axios Compromise on npm Introduces Hidden Malicious Package Is Your Repository Ready for What's Next? Autonomous Development and AI: Speed vs. Security Grounded Intelligence Ensures Safe AI Software Development Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer Golden Pull Requests: Automating Trusted Remediation Without Breaking Builds Sonatype Discovers Two Malicious npm Packages
Malicious PyTorch Lightning Packages Found on PyPI
Sonatype Security Research Team · 2026-05-01 · via 2024 Sonatype Blog

Note: This blog was initially published at 8:40pm ET on April 30. It was updated at 6:54pm ET on May 1 to include additional packages.

TL;DR

  • Two malicious versions of the popular PyTorch Lightning package have been uploaded to PyPI following the publisher account’s compromise.

  • Lightning versions 2.6.2 and 2.6.3 (tracked as sonatype-2026-002817) were published on April 30, 2026, containing embedded malicious code that gathers developer credentials and publishes infected package versions.

  • If downloaded, these malicious versions have likely already done their damage — if you are unsure, verify that your build processes are using version 2.6.1.

The widely used pytorch-lightning package has been hijacked by malicious actors, resulting in two malicious versions (2.6.2 and 2.6.3) publishing on the PyPI registry on April 30, 2026. The packages are designed to steal developer credentials and republish malicious versions of the repositories to which stolen tokens have access.

This is yet another escalation in a series of self-propagating open source malware attacks that are designed to steal credentials, spread rapidly, and overwhelm open source repositories.

What Happened

On April 30, 2026, two back-to-back releases of the lightning package were published to PyPI:

  • lightning 2.6.2

  • lightning 2.6.3 (published just 13 minutes later)

The project's maintainers released an advisory detailing the incident. Both versions were uploaded by the same publisher and researchers believe are part of a coordinated attack. Despite minimal differences between the releases, both contained the same malicious payload.

Critically, version 2.6.3 was not a fix. It retained the full malicious functionality while slightly modifying metadata and loader behavior to evade detection. The attack also spread to hijack the npm package intercom-client 7.0.4, as well as intercom and intercom-php on Composer. 

Technical Analysis: How the Attack Works

The attack is triggered automatically when the package is imported:

  • A modified __init__.py file launches a background process.

  • The process executes silently with no visible output.

  • Users receive no indication of compromise.

This means simply importing the package is enough to activate the malware.

Obfuscated Multi-Cloud Credential Harvester

The package includes a large (11 MB) obfuscated JavaScript file that uses heavy hex-encoded variable obfuscation to evade static analysis and executes via a bundled runtime loader.

The payload targets a wide range of services, including:

  • AWS (IMDS, STS, Secrets Manager).

  • Azure (AD, Key Vault, Service Fabric).

  • Google Cloud (OAuth, metadata services, KMS).

  • GitHub APIs.

  • Local environment variables and credential files.

The intent is to harvest credentials across multi-cloud and developer environments.

Secondary Payload Execution

The package includes a Python bootstrapper that downloads a runtime (Bun) from GitHub if not present, executes the malicious JavaScript payload, and runs in the background without blocking execution.

Additionally, the malware attempts to download and execute a second-stage payload from attacker-controlled infrastructure, increasing the potential impact.

Why This Attack Matters

Compromised Package, Not a Fake

Unlike traditional typosquatting attacks, this incident involves a compromised version of a legitimate, widely used package.

This makes it significantly more dangerous because:

  • Developers trust the package name.

  • Automated systems may allow it by default.

  • Detection relies on behavioral analysis, not naming anomalies.

Rapid Republish to Evade Detection.

One of the most important findings from is how quickly attackers iterated. Version 2.6.2 was flagged as suspicious, yet just minutes later, version 2.6.3 was published with the same malicious payload in an attempt to evade detection.

This highlights a critical tactic of rapidly republishing near-identical versions to bypass security controls that evaluate releases in isolation.

Signal Evasion Through Minimal Changes

Attackers made subtle changes between versions, including slight modifications to loader scripts, minor metadata updates, and no meaningful differences in the underlying payload.

These small changes were enough to avoid triggering certain detection signals, underscoring the need for:

  • Cross-version correlation.

  • Payload reuse detection.

  • Behavioral analysis over static heuristics.

What to Do if You've Been Compromised

Organizations that installed or used these versions should treat affected systems as compromised.

The malicious package is designed to steal credentials and may have already downloaded additional payloads, meaning sensitive data could be exposed and further malicious activity may already be underway.

Remove affected versions immediately
  • lightning 2.6.2
  • lightning 2.6.3
 Audit systems for compromise
  • Check for unauthorized processes
  • Review outbound network connections
  • Inspect credential usage
 Rotate credentials
  • Cloud provider keys (AWS, Azure, GCP)
  • API tokens (GitHub, CI/CD systems)
  • Secrets stored in environment variables
 Investigate secondary impact
  • Review logs for suspicious downloads or execution
  • Analyze endpoints for persistence mechanisms
  • Conduct endpoint detection and response (EDR) scans

How to Stay Ahead of This Threat Class

The PyTorch Lightning incident shows how quickly attackers can exploit trust in open source ecosystems. As pipelines become more automated, the window between compromise and impact continues to shrink.

This incident reinforces several best practices:

  • Pin dependencies to known-good versions and verify package integrity before use.

  • Monitor for behavioral anomalies such as unexpected subprocess execution, network calls during import, and large or obfuscated embedded files.

  • Detect cross-version threats by flagging rapid successive releases from the same publisher and identifying reused payloads across versions.

  • Use automated supply chain security tools to continuously monitor dependencies, enforce policies, and detect malicious packages early.

Security teams need to move beyond static checks toward context-aware, behavior-driven analysis, and give developers better visibility into dependency risk before code is ever used. In practice, that means surfacing signals like unusual runtime behavior, rapid releases, or payload reuse early in the decision process.

Tools like Sonatype Guide help provide that context, enabling teams to avoid high-risk components before they enter the build.

Sonatype will continue to monitor this situation and provide updates as more information becomes available.

Tags

python PyPI pypi vulnerability Malware Analysis Malware open source malware