What Happened
Two malicious versions of the popular Python package Lightning — versions 2.6.2 and 2.6.3 — were published to the Python Package Index (PyPI) on April 30, 2026. Lightning is a widely used deep learning and AI training framework built on PyTorch, with hundreds of thousands of downloads per week.
The malicious builds include a hidden _runtime directory containing an obfuscated JavaScript payload that executes automatically when the package is imported. The payload steals cloud credentials, environment variables, authentication tokens, and secrets stored in developer workstation configurations — and attempts to propagate the compromise by poisoning downstream GitHub repositories. SecurityWeek reported over 1,800 developers were affected. Socket and Semgrep published technical analyses of the malware. The attack has been attributed to TeamPCP, the same threat actor behind recent supply chain compromises of Bitwarden CLI, Checkmarx KICS Docker images, and the Cisco Trivy CI/CD breach. Research is available from The Hacker News and SecurityWeek.
Why This Matters for Canadian Organizations
Lightning is a standard dependency in Canadian AI development pipelines — used by university research teams, cloud-native startups, federal digital service teams, and enterprise data science organizations building on AWS, Azure, and GCP. Any Canadian developer or CI/CD pipeline that pulled Lightning versions 2.6.2 or 2.6.3 between April 30 and the point of quarantine is at risk of credential theft.
The specific targets of the payload — cloud credentials, environment variables, and GitHub tokens — map directly to the kind of secrets stored in developer workstations and CI/CD runners. A single compromised build agent with access to production cloud infrastructure represents a significant breach pathway. Under PIPEDA and OSFI Guideline B-13 for federally regulated financial institutions, a credential exposure of this type that leads to unauthorized access to personal or financial data triggers mandatory breach notification obligations.
TeamPCP has now launched a dedicated dark web presence after its accounts were suspended from public platforms, signaling the group is operating with growing operational security and intent to continue. Canadian organizations in AI development, fintech, cloud services, and digital government should treat this group as an active and persistent threat.
What to Do
Remove Lightning versions 2.6.2 and 2.6.3 from all developer workstations, CI/CD pipelines, and container images. Downgrade to version 2.6.1, the last known clean release, and hold upgrades until a verified clean version is available. Rotate all cloud credentials, API keys, GitHub tokens, and SSH keys that existed on any environment where the malicious versions were installed — treat any exposed secret as compromised. Audit your CI/CD pipeline logs for unusual outbound connections or repository pushes from build agents. Review your PyPI dependency scanning controls: if your pipelines do not verify package integrity at install time, this incident is the prompt to close that gap.
