Malicious lightning 2.6.2 and 2.6.3 harvest credentials on import
TL;DR - lightning 2.6.2 and 2.6.3 on PyPI contain malicious code that executes a credential harvester on import. Delete both versions, treat any environment that ran them as compromised, rotate all secrets, rebuild from a clean state, and pin to 2.6.1.
What happened
lightning is the PyTorch Lightning training framework - pulled into ML training pipelines, notebooks, and CI jobs across the Python ecosystem.
On April 30, 2026, Lightning AI published a security advisory confirming that 2.6.2 and 2.6.3 were compromised and contain code consistent with credential harvesting. Root cause was still under investigation at the time. The project quarantined both malicious versions from PyPI and rotated internal credentials associated with the release pipeline.
| Package version | Status | Notes |
|---|---|---|
2.6.2 | Malicious | Confirmed in vendor advisory |
2.6.3 | Malicious | Confirmed in vendor advisory |
2.6.1 | Safe | Vendor-recommended pin target |
Independent analyses from Sonatype, Socket, Semgrep, and Snyk describe the payload as import-triggered - no user interaction beyond import lightning. It includes an embedded loader and an obfuscated payload targeting developer and CI credentials. That execution path (install the package, run a notebook or CI job, get owned) is not exotic. It is how most ML workloads actually operate.
Who is impacted
- Any environment that installed or executed
lightning2.6.2or2.6.3. - Highest risk: CI runners, shared build hosts, and developer workstations with access to:
- cloud credentials
- Git hosting tokens
- CI/CD tokens
- SSH keys
- secrets exposed as environment variables
- Organisations that mirror PyPI internally are also exposed if either malicious wheel was cached into an internal repository during the availability window.
What to do now
Lightning AI's guidance is direct:
"Assume the environment may be compromised"
- Remove the affected versions from any system where they were installed:
lightning==2.6.2lightning==2.6.3
- Rotate all credentials and secrets that could have been exposed. The vendor explicitly calls out API keys, access tokens, SSH keys, and service account credentials.
- Rebuild affected systems from a known clean state.
- Pin the dependency:
"Pin PyTorch Lightning to version
2.6.1" - Review logs for suspicious or unauthorised activity, focusing on the window when the compromised versions could have executed.
Additional Information
- Vendor advisory (primary): GHSA-w37p-236h-pfx3
- Sonatype technical analysis (import trigger, republish behaviour): https://www.sonatype.com/blog/malicious-pytorch-lightning-packages-found-on-pypi
- Semgrep analysis (Mini Shai-Hulud themed payload): https://semgrep.dev/blog/2026/malicious-dependency-in-pytorch-lightning-used-for-ai-training/
- Snyk analysis (Bun-based loader and registry publishing-path discussion): https://snyk.io/blog/lightning-pypi-compromise-bun-based-credential-stealer/
- Socket analysis (package structure and early detection): https://socket.dev/blog/lightning-pypi-package-compromised
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.