PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials
PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials — Ravie LakshmananApr 30, 2026Supply Chain Attack / Malware [https://
What’s new: PyTorch Lightning versions 2.6.2 and 2.6.3 have been compromised in a supply chain attack, leading to credential theft. The malicious packages were published on April 30, 2026, and contain a hidden directory that executes a JavaScript payload for credential harvesting. The attack is linked to the ongoing Mini Shai-Hulud campaign, which has also affected the intercom-client npm package.
Who’s affected
Users of PyTorch Lightning versions 2.6.2 and 2.6.3, as well as users of the intercom-client version 7.0.4, are at risk. The attack targets developers and CI/CD environments, potentially compromising GitHub tokens and other credentials.
What to do
- Block and remove PyTorch Lightning versions 2.6.2 and 2.6.3 from your systems.
- Downgrade to the last known clean version, 2.6.1.
- Rotate any credentials that may have been exposed in affected environments.
- Monitor for unusual activity in your development and CI/CD environments.
