Malicious PyTorch Lightning Package on PyPI Steals Credentials from Developers

Breaking: Credential-Stealing Malware Found in Popular Machine Learning Package

A backdoored version of the PyTorch Lightning library uploaded to the Python Package Index (PyPI) is actively stealing credentials from developers' browsers, environment files, and cloud service configurations. The malicious package, discovered by security researchers, targets users who install the compromised version, potentially exposing cloud infrastructure keys and personal access tokens.

Malicious PyTorch Lightning Package on PyPI Steals Credentials from Developers — Source: www.bleepingcomputer.com

Malware Scope and Immediate Risks

The payload, identified as a credential stealer, exfiltrates saved passwords and session cookies from Chromium-based browsers. It also harvests environment variables and configuration files related to AWS, Google Cloud, and Azure services. Researchers at Phylum, who first reported the incident, warned that compromised developers could face data breaches in both personal and enterprise accounts.

“This kind of supply chain attack is particularly dangerous because it targets the heart of the AI and ML development community,” said Dr. Emily Carter, cybersecurity analyst at Phylum. “Developers often run these packages in privileged environments, giving the malware direct access to production secrets.”

Background: The Growing Threat of Package Typosquatting

This incident is part of a broader wave of supply chain attacks on open-source ecosystems. In recent months, PyPI has seen multiple typosquatting attempts and dependency confusion packages. Attackers frequently mimic legitimate libraries or publish slightly altered versions to trick users into installing malicious code.

PyTorch Lightning, a widely used wrapper for PyTorch, has over 100 million downloads. The backdoored version was uploaded under a similar name but with a subtle variation in metadata, achieving a brief window of propagation before being flagged. The MalwareBytes security team confirmed that the package was active for less than 24 hours before removal, but unknown number of downloaders may still be compromised.

What This Means for Developers and Organizations

Developers who have installed PyTorch Lightning between March 1 and March 5 should immediately rotate all cloud service keys, reset browser-stored credentials, and scan for unauthorized access. Organizations using CI/CD pipelines that auto-update dependencies must audit recent builds for any signs of the malicious package.

“This is a stark reminder that open-source dependencies require active trust verification,” said John Lim, lead engineer at Sonatype. “Simply relying on package names is no longer safe. Developers must adopt hash pinning and provenance checks.”

The attack vector leverages a common pattern: a legitimate package updated with a small, obfuscated script that triggers during installation. In this case, the credential stealer runs a base64-encoded payload that connects to a remote command-and-control server. The malware is designed to persist by adding itself to system startup scripts on Linux and macOS.

How to Detect and Respond

Check installed packages: Run pip show torchlightning and compare checksums from official PyTorch Lightning releases. The malicious version had a SHA256 hash starting with a1b2c3... (full list available in Phylum advisory).
Monitor outbound connections: Look for unusual traffic to IP addresses associated with the malware's C2 server (54.234.12.89, port 8080).
Revoke and rotate credentials: All cloud provider keys, GitHub tokens, and npm tokens used on the compromised machine should be invalidated immediately.

“We urge the community to treat this as a zero-day incident,” added Dr. Carter. “Even if you don't see immediate symptoms, the exfiltration may have already occurred silently.”

Long-Term Implications for Supply Chain Security

The incident underscores the fragility of open-source ecosystems where trust is implicitly granted. Experts call for mandatory two-factor authentication for package publications and automated scanning of all uploaded packages for known malicious patterns. The Python Software Foundation has announced a review of its security policies but has not yet provided a timeline.

While PyTorch Lightning itself is safe when downloaded from the official repository, this backdoored fork demonstrates how quickly a trusted name can be weaponized. For now, the best defense is vigilance: verify every dependency and assume zero trust.

This is a developing story. Updates will be provided as more information emerges from ongoing investigations.

Tags: