Supply Chain Attacks on PyTorch Lightning and Intercom-client: A Q&A on Credential Theft

In April 2026, the cybersecurity community detected a sophisticated supply chain attack targeting the PyTorch Lightning and Intercom-client Python packages. Threat actors pushed malicious versions that aimed to steal sensitive credentials from developers and organizations. This Q&A provides detailed insights into the incident, including the compromised versions, attack methods, and steps to protect your systems.

What exactly happened in the supply chain attack involving PyTorch Lightning and Intercom-client?

On April 30, 2026, threat actors successfully compromised the official repositories of two popular Python packages—PyTorch Lightning (also known as Lightning) and Intercom-client. They uploaded malicious versions designed to steal credentials from users who installed or updated these packages. This is a classic software supply chain attack, where attackers inject malicious code into trusted packages to compromise downstream users. The attack was discovered quickly by multiple security firms, but during the window of exposure, any user who installed the tainted versions risked having their cloud service credentials, API keys, and environment variables exfiltrated to attackers.

Which versions of PyTorch Lightning were compromised and how were they identified?

For PyTorch Lightning, the malicious versions were 2.6.2 and 2.6.3. Both were identified by security researchers from Aikido Security, OX Security, Socket, and StepSecurity after unusual behavior was flagged. These versions were published directly to the Python Package Index (PyPI) under the legitimate package namespace. The attackers likely gained access to the maintainer’s credentials or compromised the package’s CI/CD pipeline. Users who had auto-update enabled or who explicitly installed these versions between April 30 and the time of takedown were at risk. The malicious code was obfuscated to evade simple inspection but was detected through behavioral analysis and community reporting.

What about the Intercom-client package? Were multiple versions affected?

While details on Intercom-client are less extensive, security disclosures confirm that multiple versions of this package were also compromised as part of the same campaign. The attackers used similar techniques—embedding credential-stealing code into seemingly legitimate updates. Intercom-client is a wrapper for the Intercom API, often used in customer support integrations. The exact version numbers have not been fully disclosed, but users are advised to review their installed versions and compare against the official advisory from the Intercom-client maintainers. The attack on Intercom-client reinforces that supply chain threats can affect both popular AI tools (PyTorch Lightning) and more niche utility packages.

How do the malicious packages steal credentials? What data is targeted?

Once installed, the malicious version of PyTorch Lightning (and likely Intercom-client) executes code that scans the runtime environment for sensitive information. This includes environment variables, cloud provider credentials (AWS, GCP, Azure), API tokens, and database connection strings. The code then exfiltrates this data to a remote server controlled by the attackers. In some variants, the malware also attempts to locate configuration files such as .env, credentials, and config.json to capture additional secrets. The attack is designed to be silent—users may not notice any performance degradation or unusual behavior until their accounts are compromised. The stolen credentials can then be used for data breaches, lateral movement, or financial fraud.

What is the potential impact on developers or organizations that installed these versions?

The impact can be severe. If the attackers gained access to cloud provider credentials, they could spin up expensive resources, exfiltrate proprietary data, or encrypt systems for ransomware. For open-source projects that rely on PyTorch Lightning, this could mean compromised CI/CD pipelines, leading to further supply chain attacks. Organizations using Intercom-client might have their customer communication data exposed. Even if the malicious versions were removed quickly, any credentials that were already exfiltrated should be considered compromised and rotated immediately. The attack also erodes trust in the Python ecosystem, highlighting the need for stronger package verification practices like code signing and multi-factor authentication for maintainers.

How were these attacks discovered and which security firms were involved?

The attack was detected through a collaborative effort among multiple cybersecurity firms: Aikido Security, OX Security, Socket, and StepSecurity. These organizations monitor package registries for suspicious behavior, such as sudden changes in code complexity or unexpected network connections. After the malicious versions appeared on April 30, their automated alerts fired. Manual analysis confirmed credential-stealing logic. The firms then coordinated with PyPI maintainers to remove the malicious packages and issued public advisories. The quick discovery likely limited the number of victims, but the exact number of installations of the tainted versions before takedown remains unknown.

What steps should users take to protect themselves and verify their systems?

First, check your installed packages: run pip show lightning and pip show intercom-client. If you have version 2.6.2 or 2.6.3 of PyTorch Lightning, or any suspicious Intercom-client version, immediately remove it with pip uninstall and install a clean version (e.g., 2.6.1 or earlier for Lightning). Then, rotate all credentials that were stored in environment variables during the attack window. Review cloud access logs for unusual activity. Enable multi-factor authentication on package maintainer accounts. For future protection, consider using tools like Socket or GitGuardian to automatically block malicious packages. Also, avoid auto-updating in production environments without testing. Regularly audit your dependencies with pip-audit or similar.