Three malicious versions of the xinference PyPI package (2.6.0, 2.6.1, 2.6.2) were identified on April 22, 2026, as part of the ongoing TeamPCP supply chain attack series. The poisoned packages target AI inference infrastructure by executing a credential-harvesting payload on import. Unlike prior TeamPCP attacks, this wave lacks persistence mechanisms and data encryption — stolen credentials are gzipped and exfiltrated in plaintext to a new C2 domain. The harvester sweeps SSH keys, cloud credentials (AWS/GCP/Azure/K8s), Docker configs, database passwords, shell histories, and an unusually broad set of cryptocurrency wallet files. Any environment that imported the affected versions should immediately rotate all credentials.
Sort: