A malicious AI library impersonating PyTorch Lightning has been downloaded over 1,000 times, exposing developers to a significant supply chain attack. The malware, discovered by researchers at Semgrep, was designed to steal sensitive secrets directly from machine learning environments. This incident serves as a stark warning about the growing security vulnerabilities in the AI development pipeline.
The Typosquatting Trap
The attack leveraged a classic typosquatting technique, a common method for supply chain attacks. Attackers published a package named pytorch-lightning-v2 to the Python Package Index (PyPI), a close imitation of the legitimate and widely used pytorch-lightning library, tricking developers into installing the malicious version by mistake.
The malicious package was found in versions 2.0.0 through 2.0.4 and has since been removed from PyPI. However, any system where it was installed remains compromised until the malware is removed and secrets are rotated.
What the Malware Steals
Once installed, the counterfeit package executes a script to exfiltrate a wide range of high-value data from the developer's environment. According to the Semgrep security team's report, the malware targets and steals:
- Kubernetes
configfiles - Private SSH keys
- AWS and Google Cloud Platform credentials
/etc/passwdand/etc/shadowfiles- Shell command history (
.bash_history,.zsh_history) - Git configuration files
This collection of secrets provides attackers with deep access to both local machines and cloud infrastructure, posing a severe risk to corporate networks and proprietary AI models.
Protecting Your AI Infrastructure
This attack underscores the critical need for vigilance in managing software dependencies. Developers using PyTorch Lightning should immediately verify that they have not installed the malicious pytorch-lightning-v2 package. The legitimate package has never had a -v2 suffix. Any project containing this dependency is affected.
To stay ahead of threats like these, teams should integrate automated security scanning into their development workflow to detect malicious or vulnerable dependencies before they are deployed. For weekly updates on AI security and best practices, subscribe to the AI Breaking Wire newsletter and join thousands of professionals working to secure their ML pipelines.
Why it matters
This incident is not isolated but part of a disturbing trend targeting the high-value AI sector. As AI models and the data they are trained on become more valuable, the development infrastructure—from open-source libraries to cloud environments—is now a prime target for sophisticated cyberattacks. Securing the AI supply chain is no longer optional; it's a fundamental requirement for building trustworthy and robust artificial intelligence systems.