Backdoored PyTorch Lightning package drops credential stealer

A malicious version of the PyTorch Lightning package, version 2.6.3, was found to contain a credential stealer that targets browsers, environment files, and cloud services. The package, which has over 11 million downloads, automatically downloads and executes a JavaScript payload upon import, potentially compromising secrets, keys, and tokens.