PyTorch Lightning and Intercom-client Packages Compromised in Credential-Stealing Supply Chain Attack

Introduction

In a troubling development for the open-source ecosystem, security researchers have uncovered a sophisticated supply chain attack targeting two widely used Python packages: PyTorch Lightning and intercom-client. The attack, discovered by Aikido Security, OX Security, Socket, and StepSecurity, involved the publication of malicious versions designed to steal credentials from unsuspecting users. This incident highlights the growing risk of software supply chain attacks and the need for heightened vigilance among developers.

Below, we break down the details of the attack, its impact, and what steps organizations can take to protect themselves.

Attack Overview: How the Compromise Unfolded

The threat actors behind this campaign targeted PyTorch Lightning, a popular deep learning framework, and intercom-client, a library for integrating with the Intercom customer messaging platform. According to the security firms, the attackers successfully pushed two malicious versions of PyTorch Lightning—versions 2.6.2 and 2.6.3—onto the official Python Package Index (PyPI). Both versions were published on April 30, 2026. The intercom-client package was also compromised in a similar manner, though specific version numbers have not been disclosed.

The malicious code was designed to harvest credentials, including API keys, database passwords, and other sensitive data, from the environments where the packages were installed. The attack leveraged the trust users place in well-known open-source projects, making it a classic supply chain compromise.

Malicious Versions Identified

Security researchers identified the following compromised versions:

• PyTorch Lightning: versions 2.6.2 and 2.6.3
• Intercom-client: details not fully disclosed, but likely a recent version

These versions were available on PyPI for a short period before being flagged and removed. However, during that time, any developer or organization that installed or updated these packages could have been affected. The attack is part of a growing trend where attackers inject malicious code into legitimate packages to infiltrate downstream systems.

How the Attack Worked: Technical Details

The malicious payload in PyTorch Lightning was embedded within the package's setup.py or a similar initialization script. Upon installation, the code would execute automatically, sending collected credentials to an attacker-controlled server. The specific mechanism included:

• Environment scanning: The script searched for environment variables, configuration files, and common credential stores.
• Data exfiltration: Collected data was sent via HTTP or DNS requests to a remote endpoint.
• Obfuscation: The malicious code was disguised to avoid detection by standard static analysis tools.

For intercom-client, the attack vector appears similar, leveraging the package's authentication workflow to intercept credentials used during API calls. The attackers likely aimed to steal Intercom API tokens and other integration-specific secrets.

Both attacks underscore the importance of verifying package integrity, as even trusted libraries can be weaponized.

Impact and Risks to Developers and Enterprises

The immediate risk is credential theft. Developers who installed the malicious versions may have exposed:

• AWS and cloud service credentials
• Database passwords and connection strings
• API keys for third-party services (including Intercom)
• Private repository access tokens

Beyond direct data loss, the attack could lead to further compromise, such as unauthorized access to production environments, data breaches, or lateral movement within corporate networks. For enterprises using PyTorch Lightning in machine learning pipelines, the attack could compromise proprietary models and training data.

The supply chain nature means that even organizations that did not directly install the malicious versions could be affected if they rely on dependencies that include the compromised packages. This cascading effect makes such attacks particularly dangerous.

Mitigation and Recommendations

Security firms and PyPI maintainers have since removed the malicious versions. Nevertheless, organizations should take the following steps to mitigate risk:

1. Audit your dependencies: Check if any projects use PyTorch Lightning version 2.6.2 or 2.6.3, or intercom-client versions from the same period.
2. Scan for indicators of compromise: Look for unexpected outbound network connections or credential checks in your codebase.
3. Rotate all credentials: If you suspect exposure, rotate API keys, passwords, and tokens immediately.
4. Implement package verification: Use tools like pip hash checking or Software Bill of Materials (SBOM) to verify package integrity.
5. Monitor security advisories: Follow updates from security firms like Aikido Security, Socket, and StepSecurity for further intelligence.
6. Use isolated environments: Deploy packages in sandboxed containers or virtual machines to limit potential blast radius.

For the future, developers should adopt practices such as pinning exact package versions and using package signing where available.

Conclusion

The compromise of PyTorch Lightning and intercom-client serves as a stark reminder that open-source security is a shared responsibility. While the swift discovery and removal by security researchers minimized damage, this incident highlights the persistent threat of supply chain attacks. Organizations must invest in proactive security measures, including dependency scanning, continuous monitoring, and developer training. The open-source community, in turn, should strengthen package validation processes and encourage transparency from maintainers.

As cybercriminals continue to target trusted software ecosystems, vigilance is the best defense. Stay informed, verify your packages, and always question unexpected updates.