PyTorch Lightning Got Owned and the ML Stack Is the New Supply-Chain Target. Three Hits in Eight Days.

April 22 to April 30, 2026. Eight days. Three independent supply-chain compromises, all targeting the machine-learning stack.

xinference on PyPI — three consecutive releases on April 22 carrying a credential-stealing payload. SSH keys. AWS, Azure, and GCP credentials. Environment variables. Crypto wallets.

intercom-client on PyPI — co-disclosed by Socket on April 30 in the same cluster as Lightning. Same JavaScript-payload pattern.

PyTorch Lightning on PyPI — versions 2.6.2 and 2.6.3 published April 30, 2026 from the maintainer namespace. JS payload exfiltrating secrets. Pulled within hours but the wheels reached PyPI mirrors.

The shared shape is the lede. xinference is a model-serving framework. intercom-client is glue infrastructure that ML teams reach for to pipe agents to customer support. Lightning is bundled with practically every fine-tuning workflow on the planet — every researcher, every startup, every Fortune 500 ML team that has ever run pip install lightning. Compromise the maintainer namespace, compromise the supply chain. There is no air gap between "I am training a model" and "my npm publish token is now being shipped to GitHub Releases" once that wheel is in the cache.

That is the headline. The ML training and serving stack is no longer adjacent to the supply-chain attack surface. It is the surface.

We indexed all three this morning. xinference is in our iocs index as Xinference-Harvester. lightning 2.6.2 and 2.6.3 are tagged Lightning-PyPI-Stealer with intercom-client clustered in the same campaign. pgserve from the same April 21-23 window is its own beast — CanisterSprawl, wormable npm — and gets its own writeup. Search analytics.dugganusa.com slash api slash v1 slash search?q=Lightning-PyPI-Stealer if you want the receipts straight from the index.

The ML maintainer story is not new. The volume and velocity is. Three campaigns in eight days, all secrets-focused, all targeting environments where one developer with broad publish rights has the keys to thousands of downstream packages. This is the same trust-lifecycle that ate Silk Road, Mt. Gox, and the original Shai-Hulud npm worm. Reputation accrues. Trust compounds. Then somebody — sometimes the maintainer, sometimes a phisher with the maintainer's session token — cashes in. The bigger the namespace, the bigger the cash-in.

What changes for defenders.

Stop treating the ML environment as a research sandbox. If your data-science laptops have npm publish tokens, AWS keys with production read on bucket inventories, or GitHub Actions secrets that touch the model registry, those laptops are now a Tier 1 target. Treat them like build agents.

Pin transitive dependencies. Lightning 2.6.1 is not a guess about which version is safe — it is the last clean release before the maintainer-namespace compromise. Pin it. Same for xinference: roll back to the last release before April 22 and audit your CI cache for the three poisoned versions.

Rotate on visibility, not evidence. Our standing rule is: if a credential could have been seen, it is leaked. Logs are forensic, not exonerating. If a developer ran pip install lightning between April 30 and the moment PyPI yanked the bad versions, every secret on that machine should already be on its way to retirement. The attacker harvested it; the only question is whether they have monetized it yet.

Watch the AI-agent persistence vector. The TeamPCP mini Shai-Hulud campaign that hit four SAP npm packages on April 29 specifically targeted developer AI-agent configs — dot-claude slash settings.json with SessionStart hook abuse and dot-vscode slash tasks.json with runOn folderOpen. We covered that one in detail. The Lightning compromise has not yet shown the same payload sophistication, but the actor pool overlaps and the same defensive logic applies: anything that auto-runs on shell start, on folder open, or on agent boot is a now a control surface. Treat it that way.

The call we are willing to make at the 95 percent confidence cap.

The maintainer-namespace attack pattern is not slowing down. Three in eight days is not noise. The ML stack has the highest trust-density-per-developer in modern software — ML teams pull from PyPI with abandon, ship to production via opaque inference servers, and run their own fine-tuning loops on machines that frequently have far more credentials than they need. Until the package registries put hardware-key MFA on every maintainer with more than ten thousand monthly downloads, expect this drumbeat to continue. The next compromise is not a question of whether. It is whose namespace, and how many fine-tuning runs are downstream when the wheel hits the mirror.

We will keep indexing them. Receipts at the search API.

Five percent of this analysis is wrong. Murphy was an optimist. Cap stays at ninety-five.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com