Threat actors compromised PyTorch Lightning on PyPI, publishing malicious versions 2.6.2 and 2.6.3 on April 30, 2026. The poisoned packages targeted credential theft through supply chain infection. Security firms Aikido Security, OX Security, Socket, and StepSecurity identified the attack. A separate incident hit the Intercom-client package using the same infection vector. Defenders should immediately audit PyPI logs for installations of these specific versions and scan systems for credential exfiltration artifacts. Organizations running PyTorch Lightning in development or production must upgrade to patched versions beyond 2.6.3 and rotate any credentials that may have been exposed. The attack exploits the trust developers place in established packages. PyPI maintainers have removed the malicious versions. No CVE identifiers appear assigned yet. This follows a pattern of supply chain attacks targeting high-dependency Python packages to gain access to downstream users. Developers should implement dependency pinning, verify package checksums, and enforce code review workflows for dependency updates.