Supply Chain Alert: TeamPCP Strikes Popular AI Framework Xinference

The Python ecosystem is reeling from a sophisticated supply chain attack targeting Xinference (Xorbits Inference), a widely used open-source framework for deploying Large Language Models (LLMs). On April 22, 2026, security researchers confirmed that three consecutive versions of the package—2.6.0, 2.6.1, and 2.6.2—were published to PyPI containing a potent, two-stage credential-stealing payload.

The attack has been attributed to the threat actor TeamPCP, the same group responsible for recent compromises of the litellm and telnyx packages.

Xinference is a cornerstone for many MLOps pipelines, supporting models like Llama, Mistral, and Qwen. This makes it a lucrative target for attackers. As noted in the report, “Environments running xinference typically hold elevated cloud credentials: GPU instance IAM roles, model registry tokens, object storage access keys, and Kubernetes service account tokens are all common in xinference deployment configurations.”

By compromising this framework, TeamPCP gained a direct line to highly sensitive enterprise infrastructure.

The campaign was characterized by its speed and iterative “live operational refinement”. The malware was injected into xinference/__init__.py, the package’s top-level module. Because Python executes this file on every import, the payload fires automatically whenever a developer runs import xinference or uses the CLI.

The attacker’s progression across the three versions shows a clear evolution in stealth:

• Version 2.6.0: The malicious code was placed at the module scope, making it relatively easy to spot in a code diff.
• Version 2.6.1: The attacker moved the code inside a legitimate helper function to hide it, but mistakenly made the execution synchronous, which could cause visible lag.
• Version 2.6.2: The final refinement moved the payload back to an asynchronous, detached subprocess hidden within a function—achieving both stealth and non-blocking execution.

Once triggered, the first stage decodes a second-stage “credential collector” that is piped directly into a fresh Python interpreter via stdin, ensuring the malicious script never touches the disk.

The collector is disturbingly thorough, targeting:

• Cloud Infrastructure: AWS (disk, environment, and live IMDS API calls), GCP, and Azure.
• Development Tools: SSH keys, Docker configs, npm/PyPI tokens, and Kubernetes service account tokens.
• Sensitive Files: A recursive walk (up to depth 6) through system directories for .env files, TLS/SSL private keys, and CI/CD configurations like terraform.tfvars.
• Crypto Wallets: Wallets for Bitcoin, Ethereum, Cardano, and Solana.

All stolen data is compressed into an archive named love.tar.gz and exfiltrated via a curl POST to the attacker-controlled domain whereisitat.lucyatemysuperbox.space.

While the malicious versions have been yanked from PyPI, any organization that installed Xinference on April 22 must take immediate action.

• Verify Version: Run pip show xinference. If the version is 2.6.0, 2.6.1, or 2.6.2, your system is compromised.
• Downgrade: Immediately run pip install “xinference<2.6.0”.
• Rotate Everything: You must rotate all cloud credentials, SSH keys, and API tokens accessible on the affected systems.
• Audit Secrets: Specifically, rotate AWS Secrets Manager and SSM Parameter Store values, as the collector was designed to fetch these live.