PyTorch Lightning Worm Attack: Team PCP Weaponizes 31k-Star AI Framework for Credential Theft Campaign

PyTorch Lightning Weaponized in Multi-Ecosystem Supply Chain Attack

Threat actors compromised the popular Python package PyTorch Lightning, publishing two malicious versions 2.6.2 and 2.6.3 on April 30, 2026, as part of a broader software supply chain attack. The open-source project has more than 31,100 stars on GitHub, making it one of the most widely-used AI and machine learning frameworks in the developer community. This incident marks a critical inflection point: attackers have moved beyond simple credential theft in package repositories to deploying self-propagating worm code that bridges Python and JavaScript ecosystems.

Attack Timeline and Rapid Detection

Socket's Research Team flagged versions 2.6.2 and 2.6.3 as malicious just 18 minutes after publication on April 30, 2026. However, the speed of detection does not mitigate the risk. During the window before quarantine, the malicious versions were live in PyPI for 42 minutes before they were quarantined. In a threat landscape where automated dependency updates are standard practice, even this brief window represents significant exposure.

According to Aikido Security, OX Security, Socket, and StepSecurity, the two malicious versions are versions 2.6.2 and 2.6.3, both of which were published on April 30, 2026. The campaign is assessed to be an extension of the Mini Shai-Hulud supply chain incident that targeted SAP-related npm packages on Wednesday. This connection reveals a coordinated, multi-platform attack strategy rather than isolated incidents.

Technical Analysis: Hidden Payload and Automatic Execution

\"The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload,\" Socket said. \"The execution chain runs automatically when the lightning module is imported, requiring no additional user action after installation and import.\" This design is deliberately insidious—developers who pip-install or update the package have already triggered the attack payload, with zero user interaction required beyond standard installation.

The compromised versions contained a hidden _runtime directory with an obfuscated JavaScript payload that executed automatically upon package import. The attack chain downloaded the Bun JavaScript runtime and deployed an 11MB obfuscated script (router_runtime.js) designed for credential theft. The use of the Bun runtime—a modern JavaScript engine—allows attackers to execute complex code within a Python execution context, crossing traditional language boundaries.

Worm-Like Propagation and Repository Compromise

What distinguishes this attack from typical supply chain compromises is its worm-like propagation mechanism. Validated GitHub tokens were used to inject worm-like payloads into up to 50 branches per repository, silently overwriting files with commits impersonating Anthropic's Claude Code. Once a developer's credentials are harvested, the malware doesn't stop at data exfiltration—it actively weaponizes those stolen tokens to inject malicious code into the developer's own repositories.

\"An attacker with access to our PyPI credentials cloned our open source code, injected a malicious payload, and pushed those tampered builds directly to PyPI as malicious versions 2.6.2 and 2.6.3, bypassing our source control entirely. Any user who pip installed or updated to either of those versions received the attacker's build, not ours.\" This statement from the PyTorch Lightning maintainers confirms the attackers gained direct access to PyPI publishing credentials, enabling them to bypass code review processes entirely.

Credential Harvesting Across Multiple Ecosystems

\"The PHP payload mirrors the broader Mini Shai-Hulud tradecraft observed across recent npm and PyPI compromises: install-time execution, Bun-based payload launch, heavily obfuscated JavaScript, credential harvesting from developer and CI/CD environments, and encrypted exfiltration,\" Socket said. The breadth of credential types being targeted reveals the attackers' understanding of modern development workflows: GitHub tokens for repository access, npm publish credentials for JavaScript ecosystem propagation, and cloud credentials (AWS, Azure, GCP) for infrastructure access.

The Intercom Connection: Cascading Compromise

Intercom, for its part, has traced the root cause of the compromise to a local install of \"pyannote-audio,\" which introduced the compromised Lightning PyPI package as a transitive dependency, offering clear evidence that the newer infections are downstream effects from prior TeamPCP waves rather than entirely independent initial access events. This cascading compromise pattern reveals how a single malicious package can silently propagate through dependency chains, infecting downstream projects that never directly imported the targeted package.

\"That makes this especially concerning because one compromised dependency can become a bridge into additional package ecosystems,\" Socket told The Hacker News via email. \"After two solid weeks of virtually nonstop attacks, the tempo looks deliberate and sustained rather than opportunistic.\"

Attribution: Team PCP and LAPSUS$ Connections

The attack has been attributed to TeamPCP, a threat group previously suspended from X for policy violations. The group has since launched a dark web onion site and claimed ties to LAPSUS$, while denying use of the VECT encryption tool instead asserting ownership of CipherForce, its proprietary ransomware locker. The reemergence of Team PCP with operational sophistication suggests a regrouped threat actor now focusing on supply chain attacks as primary revenue generation.

Incident Response Recommendations

Organizations using PyTorch Lightning must take immediate action. Maintainers confirmed the malicious versions introduced credential-harvesting functionality and advised users to downgrade to version 2.6.1 and rotate exposed credentials. This includes:

• Identifying all systems where PyTorch Lightning versions 2.6.2 or 2.6.3 were installed between April 30 and the patch release
• Rotating all credentials accessible from development and CI/CD environments: GitHub tokens, npm tokens, AWS/Azure/GCP credentials
• Auditing GitHub repository logs for suspicious commits or workflow changes, especially those impersonating legitimate tools like Claude Code
• Reviewing CI/CD pipeline logs for unexpected workflow executions triggered during the exposure window
• Scanning local npm tarballs and Python cache directories for unexpected postinstall scripts

Broader Implications for AI Infrastructure Security

This incident exposes a fundamental vulnerability in how AI and machine learning projects manage dependencies. PyTorch Lightning's position in the deep learning ecosystem means its compromise affects not just individual developers but enterprise AI platforms, research institutions, and cloud-native ML services that depend on it. The attack demonstrates that as organizations accelerate AI adoption, supply chain security in the ML space has become a critical blind spot.

An AI framework compromise can be worse because AI and ML environments often blend development, research, cloud infrastructure, data access, model publishing, and automation inside the same workspace. This convergence creates an unusually rich target environment where a single compromised dependency can provide attackers with access to training datasets, model weights, deployment credentials, and cloud infrastructure in a single attack.

The Escalating Tempo of Supply Chain Attacks

Just last week, three separate supply chain attacks hit npm, PyPI, and Docker Hub between April 21–23, all targeting the same prize: API keys, cloud credentials, SSH keys, and tokens from developer environments and CI/CD pipelines. The PyTorch Lightning incident is the latest in a sustained campaign against open-source package repositories. With automated scanning now detecting malicious packages within minutes, threat actors are adapting by weaponizing social engineering, account compromise, and worm-like self-propagation to maximize blast radius before detection.

Security teams must treat all internet-facing PyPI publishing accounts and GitHub repository access as high-value targets requiring hardware security keys, immutable audit logging, and automated credential rotation policies. The era of supply chain attacks via simple typosquats has evolved into sophisticated, multi-ecosystem campaigns designed to compromise development infrastructure at scale.