Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN473
_____________________________________________________________________

DATE                : 07/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running pytorch-lightning (pip).

=====================================================================
https://github.com/Lightning-AI/pytorch-lightning/security/advisories/GHSA-w37p-236h-pfx3
_____________________________________________________________________


Compromise of PyTorch Lightning PyPi Package Versions
Critical
brahman81 published GHSA-w37p-236h-pfx3 Apr 30, 2026

Package
pytorch-lightning (pip)

Affected versions
>=2.6.2

Patched versions
2.6.1


Description

Security Advisory: Compromise of PyTorch Lightning
PyPI Package Versions

Published: 2026-04-30
Last Updated: 2026-04-30

We have identified a security incident affecting certain versions
of one of our PyPI packages.


What happened

We have determined that one or more released versions of this
package have been compromised and include malicious code.

Our current investigation indicates that the affected versions
have introduced functionality consistent with a credential
harvesting mechanism. We are still actively analysing the
scope and behaviour of the code.

At this stage, the root cause of the compromise is still under
investigation.


What versions are affected

We are currently working to confirm the exact set of impacted
versions.

We have determined the following versions as affected and ask
that you delete them from your systems:

    2.6.2
    2.6.3

We will update this advisory if the versions impacted by this
vulnerability change.


What you should do immediately

If you have installed or are running any potentially affected
versions:

    Assume the environment may be compromised
    Immediately rotate all credentials and secrets that may
have been exposed, including:

        API keys
        Access tokens
        SSH keys
        Service account credentials

    Rebuild affected systems from a known clean state
    Pin PyTorch Lightning to version 2.6.1
    Review logs for any suspicious or unauthorised activity

Actions we have taken

    Quarantined malicious versions from PyPI
    Recommend using version 2.6.1: https://github.com/Lightning-AI/pytorch-lightning/releases/tag/2.6.1
    Revoked and rotated all internal credentials associated with our release process
    Initiated a full investigation into the compromise

Ongoing investigation

We are actively working to:

    Identify the exact mechanism of compromise
    Confirm the full set of affected versions
    Determine the behaviour and impact of the malicious code
    Assess any downstream impact to users

We will provide updates as soon as more information becomes
available.


Commitment to transparency

We take the security of our users and the integrity of our
software supply chain extremely seriously.

We will continue to share timely and accurate updates as our
investigation progresses.


Contact

If you have questions or believe you may be impacted,
please contact us at:

security@lightning.ai


Severity
Critical

CVE ID
CVE-2026-44484

Weaknesses
No CWEs


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================