Three consecutive releases of the xinference PyPI package (versions 2.6.0, 2.6.1, 2.6.2) were found to contain a two-stage credential-stealing payload injected into the package's __init__.py file. The malware fires immediately on import, decodes a second-stage collector, and harvests SSH keys, AWS/GCP/Azure credentials, environment variables, crypto wallets, CI/CD secrets, and more, exfiltrating everything as love.tar.gz via curl POST to an attacker-controlled domain. The threat actor marker '# hacked by teampcp' links this to TeamPCP, the group behind earlier litellm and telnyx supply chain compromises. The three versions show iterative refinement of the injection technique. All three versions have been yanked from PyPI. Users who installed any of these versions should rotate all credentials immediately. StepSecurity's analysis includes full decoded payload details, IOCs, SHA-256 hashes, and remediation steps.
Table of contents
Background: What Is xinference?The Injection: Three Versions, One PayloadStage 1 — The Wrapper and start() FunctionStage 2 — The Credential CollectorExfiltrationCampaign TimelineAttributionIndicators of CompromiseRemediationRuntime Validation with StepSecurity Harden-RunnerHow StepSecurity HelpsReferencesSort: