PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials

By Ravie Lakshmanan | April 30, 2026

Two widely-used Python packages, PyTorch Lightning and Intercom-client, have fallen victim to sophisticated supply chain attacks orchestrated to steal developer credentials. This security breach represents a significant escalation in attacks targeting the Python Package Index (PyPI) ecosystem.

The compromise of these popular packages demonstrates the persistent vulnerabilities within open-source software repositories, where malicious actors exploit trusted distribution channels to deploy credential-harvesting malware at scale. Developers who downloaded and installed the compromised package versions during the attack window potentially exposed their authentication credentials and other sensitive data to cybercriminals.

This incident highlights a troubling trend in the cybersecurity landscape, where threat actors increasingly focus their efforts on software supply chains rather than direct endpoint attacks. By infiltrating package repositories, attackers can achieve widespread distribution of malicious code through legitimate software update mechanisms that developers routinely trust.

The attack serves as a critical reminder for the development community to implement robust package verification protocols and maintain heightened vigilance when managing software dependencies. Organizations must prioritize enhanced security frameworks throughout their software supply chains to mitigate the risk of similar compromises in the future.