top of page
Search

Security notice: PyTorch Lightning 2.6.2 and 2.6.3

  • Steve
  • 14 minutes ago
  • 2 min read

Published: April 30, 2026

NAM impact: NAM’s training code depends on PyTorch Lightning. Users who installed the affected Lightning versions should take action.


Overview

A supply-chain security incident has affected certain versions of PyTorch Lightning distributed via PyPI. Lightning AI has published an official advisory identifying versions 2.6.2 and 2.6.3 as compromised. These versions should be considered unsafe. Neural Amp Modeler (NAM) uses PyTorch Lightning for training. While NAM itself was not compromised, environments that installed the affected Lightning versions may be at risk.


Affected versions

2.6.2
2.6.3

Recommended safe version

2.6.1

What this means for NAM users

If you:

  • Installed NAM from source

  • Ran NAM training locally

  • Used NAM in notebooks or CI

  • Maintain a custom Python environment with Lightning

Then your environment may have installed an affected version depending on timing and dependency resolution.


If you...

  • only use the NAM plugin or download pretrained models,

  • do not train locally (e.g. you use Google Colab or TONE3000)

...then this issue likely does not affect you.


Actions taken for NAM

neural-amp-modeler version 0.12.3 has been published and updates dependency constraints to exclude Lightning versions with known issues.


What you should do

If your environment installed 2.6.2 or 2.6.3, treat it as potentially compromised.

Immediate steps

  1. Remove affected versions

  2. Reinstall safe version

  3. Rebuild environment

  4. Rotate credentials

  5. Review activity/logs

Suggested commands

python -m pip uninstall -y lightning pytorch-lightning pytorch_lightning
python -m pip install "pytorch_lightning<=2.6.1"
python -m pip install --upgrade neural-amp-modeler

Check installed versions

python -m pip show neural-amp-modeler pytorch-lightning lightning
python -m pip freeze | grep -Ei '^(neural-amp-modeler|pytorch[-_]lightning|lightning)=='

Additional precautions

  • Check lockfiles (poetry.lock, requirements.txt, etc.)

  • Inspect CI pipelines and build logs

  • Clear package caches and mirrors

  • Rebuild containers

  • Rotate API keys, tokens, and secrets


Current status

  • Affected versions are no longer installable from PyPI

  • Investigation is ongoing

  • Further updates expected from Lightning AI


References


Closing

Thanks to the folks at TONE3000 who first made me aware of this news. I will continue to keep NAM dependencies conservative until the upstream situation is fully resolved.


— Steve

 
 

Recent Posts

See All
NeuralAmpModelerCore v0.5.0 is released

We're one step closer to A2 today, and I've released an update to NeuralAmpModelerCore, version 0.5.0: https://github.com/sdatkinson/NeuralAmpModelerCore/releases/tag/v0.5.0 Builders interested in how

 
 
A2: Sign up for listening tests

Progress on Architecture A2 has been coming along well, and I'm pretty happy with the results that we've gotten out of Stage 4 of the work (optimizing A2). With that, development will enter the fift

 
 

NEURAL AMP MODELER

©2025 by Steven Atkinson

bottom of page