PyTorch Lightning Supply Chain Attack Exposes Credentials

Threat actors have once again exploited the open‑source supply chain, compromising the popular Python libraries PyTorch Lightning and Intercom‑client. By obtaining the maintainer’s PyPI API token, the attackers published two malicious releases—version 1.3.1 of Lightning and 2.1.0 of Intercom‑client—each containing an obfuscated payload designed to harvest credentials from the host environment. The malicious code was injected into the package’s setup.py and executed during the installation process via a custom post‑install hook, allowing it to silently exfiltrate environment variables, SSH keys, and cloud service tokens to an external endpoint under the attackers’ control.

The payload leveraged Base64 encoding and a small Python script that collected system information and credentials before sending them over HTTPS to a command‑and‑control (C2) server located at IP 185.220.101.47. The injected code also attempted to overwrite the legitimate __init__.py to persist the malicious routine across future imports, making detection more difficult. According to the security research group Aiki, the rogue packages were signed with the legitimate maintainer’s PGP key, bypassing typical trust checks on the repository.

The malicious releases were downloaded more than 58,000 times before the incident was identified and the packages were removed from PyPI on March 5, 2025. The campaign primarily targeted developers using continuous integration pipelines, where environment variables often store CI/CD tokens and cloud access credentials. As a result, organizations that integrated the compromised versions risk unauthorized access to their CI systems, cloud accounts, and internal APIs.

In response, the open‑source community recommends immediate remediation steps: audit installed package versions, remove any instances of the flagged releases, rotate potentially exposed secrets, and enforce strict dependency pinning using lockfiles. Maintainers are also urged to enable two‑factor authentication on package indexes, use rotating API tokens, and regularly monitor their accounts for suspicious activity. The full technical analysis is available in the report published by The Hacker News.