TeamPCP Poisons PyTorch Lightning PyPI Package (v2.6.2/2.6.3): Credential-Stealing Worm Targets AI/ML Developer Environments and CI/CD Pipelines

On April 30, 2026, the TeamPCP threat group compromised PyTorch Lightning's PyPI publishing channel and pushed two malicious builds (v2.6.2 and v2.6.3) of the lightning package — a deep learning framework with millions of monthly downloads — embedding a credential-harvesting payload that executes automatically on import with no user interaction required. The 11 MB obfuscated JavaScript payload targets SSH keys, cloud credentials, GitHub and npm tokens, and cryptocurrency wallets, exfiltrating data to attacker-controlled repos; it also plants persistence hooks in Claude Code's .claude/settings.json and VS Code's .vscode/tasks.json to re-execute on every IDE session open. Socket's AI scanner flagged the malicious builds 18 minutes after publication and the packages were pulled within 42 minutes, but any CI pipeline that consumed the package during that window — or any developer with a broad version specifier — should treat the environment as fully compromised and rotate all credentials.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.