PyTorch Lightning Compromised on PyPI as Attackers Push Two Malicious Versions Designed to Harvest Cloud Credentials
Attackers published lightning 2.6.2 and 2.6.3 to PyPI on April 30, executing an obfuscated JavaScript payload to harvest cloud credentials from anyone who imported the package. Maintainers quarantined the malicious builds within 42 minutes.
5 min read3 sources