Backdoored PyTorch Lightning Package Delivers Credential Stealer

A malicious version of the PyTorch Lightning package, distributed via the Python Package Index (PyPI), was identified delivering a credential-stealing payload. The backdoored package targets browsers, environment files, and cloud services to exfiltrate sensitive data. No specific dates, CVE IDs, or victim counts were disclosed in the report. The attack leverages a trojanized dependency to execute the malicious payload upon installation. PyPI has since removed the compromised package, but affected systems may still be at risk if the package was previously installed. The incident underscores supply chain risks in open-source software repositories.