Credential Theft via Supply Chain: PyTorch Lightning and Intercom-client Packages Compromised

Overview of Recent Supply Chain Attacks

In early 2026, the open-source ecosystem faced a pair of coordinated software supply chain attacks targeting widely-used Python packages. Threat actors successfully compromised the Lightning repository (formerly PyTorch Lightning) and the Intercom-client library, releasing malicious versions designed to harvest credentials from unsuspecting users. Security firms including Aikido Security, OX Security, Socket, and StepSecurity reported the incidents, highlighting the growing sophistication of attackers who exploit trust in popular packages.

Attack on PyTorch Lightning (Lightning)

The well-known machine learning framework Lightning became a vector for credential theft after malicious versions 2.6.2 and 2.6.3 were published on April 30, 2026. According to researchers, the attackers gained access to the maintainers' PyPI account, possibly through a leaked API token or a compromised CI/CD pipeline. The tainted releases were downloaded by hundreds of users before being pulled.

Malicious Payload Analysis

Upon installation, the rogue packages executed a background script that connected to a remote command-and-control server. The payload specifically targeted environment variables, SSH keys, and cloud provider tokens stored in the system. Additionally, it intercepted any credentials typed during interactive sessions. Once collected, the data was exfiltrated via encrypted HTTP POST requests.

Impact and Detection

Organizations using Lightning for AI/ML workflows were urged to check their installation logs for versions 2.6.2 and 2.6.3. The malicious code was only active in those two versions; versions before and after (2.6.1 and 2.6.4) are considered clean. Security tools like Socket and StepSecurity have released signatures to detect the compromise.

Simultaneous Breach of Intercom-client

Almost concurrently, another Python package — Intercom-client, an official library for integrating with the Intercom customer messaging platform — suffered a similar fate. The attackers released versions 1.4.5 and 1.4.6 containing obfuscated code that collected OAuth tokens and API keys when users invoked library functions.

Credential Harvesting Mechanism

Unlike the Lightning attack, which used a payload in setup scripts, the Intercom-client compromise hid the harmful logic within the main module's __init__.py. The code activated only when the package was imported and a connection to Intercom was initialized. It then silently recorded authentication details and sent them to a hard-coded endpoint that mimicked a legitimate API endpoint.

Common Attack Vector: Dependencies and Pip

Both incidents share a common pattern: attackers compromise the maintainer's direct access to PyPI, then inject malicious code into otherwise legitimate updates. These attacks underline the risk of dependency confusion and the need for multi-factor authentication on package managers. The community is now pushing for mandatory use of API tokens with short expiration windows and verification of package checksums before installation.

Mitigation Steps for Developers

To protect against similar supply chain threats, security experts recommend the following precautions:

• Pin exact versions in requirements.txt or pyproject.toml, and review updates manually.
• Use digital signatures — verify that the package hash matches the one published on the index.
• Monitor your environment for unexpected outbound connections or credential leaks.
• Rotate compromised credentials immediately if you have installed any of the malicious versions.
• Implement CI/CD scanning with tools like Socket, Dependabot, or GitHub's supply chain security features.

For a deeper dive into detection, refer to the analysis reports by Aikido Security and OX Security.

Response from Package Maintainers

Both the Lightning AI team and the Intercom-client maintainers released patches within 24 hours. The malicious versions were removed from PyPI, and the maintainers reset all access keys. They also published postmortems explaining how the breach occurred and what steps were taken to prevent recurrence. Users are strongly advised to upgrade to the latest stable versions immediately.

Conclusion

The simultaneous compromise of Lightning and Intercom-client illustrates that even trusted open-source projects can be weaponized for credential theft. Developers must adopt a zero-trust approach to dependencies, continuously audit their supply chain, and stay informed about emerging threats. As the attack surface grows, collective vigilance remains the best defense.