Malicious Xinference Versions on PyPI Steal Cloud Credentials and Sensitive Data
A supply chain attack targeting the Python package Xinference has exposed users to a sophisticated infostealer malware. Threat actors uploaded malicious versions (2.6.0, 2.6.1, and 2.6.2) to the Python Package Index (PyPI) on April 22, 2026, containing heavily obfuscated code designed to exfiltrate sensitive data. While the malware includes references to TeamPCP in its payload, the group has publicly denied involvement via its X (formerly Twitter) account.
The compromised versions execute a base64-encoded payload upon package initialization, harvesting a wide range of credentials and system data, including:
- Cloud credentials (AWS, GCP, Kubernetes tokens)
- Environment variables and SSH keys
- API keys, database passwords, and cryptocurrency wallets (Bitcoin, Ethereum, Monero, etc.)
- Shell history, SSL certificates, and service credentials (Slack, Discord, Postfix)
- System metadata (IP addresses, usernames, network interfaces)
The stolen data is compressed and sent to a command-and-control (C2) server at https://whereisitat[.]lucyatemysuperbox[.]space/. The attack was discovered after a user reported suspicious behavior, prompting Xinference developers to confirm the breach.
With over 600,000 total downloads, the full scope of affected users remains unclear. The latest safe version of Xinference is 2.5.0 or earlier. The malicious commit was traced to a bot account (XprobeBot), active since October 2025, which inserted the payload into the package’s __init__.py file.
This incident underscores the growing threat of supply chain attacks, where compromised maintainer accounts or automated bots are increasingly used to distribute malware at scale.
Source: https://www.ox.security/blog/xinference-allegedly-hacked-by-teampcp-malicious-package-in-pypi/
PyPI cybersecurity rating report: https://www.rankiteo.com/company/pypi
"id": "PYP1776918478",
"linkid": "pypi",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (users of compromised '
'versions)',
'industry': 'Technology/Software Development',
'location': 'Global',
'name': 'Xinference',
'size': '600,000+ downloads',
'type': 'Software Package'}],
'attack_vector': 'Malicious Package Upload to PyPI',
'customer_advisories': 'Users of Xinference versions 2.6.0-2.6.2 should '
'assume compromise and rotate credentials.',
'data_breach': {'data_encryption': 'Base64-encoded payload',
'data_exfiltration': 'Yes (sent to C2 server)',
'personally_identifiable_information': 'Potentially (system '
'metadata, '
'credentials)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Cloud credentials',
'Environment variables',
'SSH keys',
'API keys',
'Database passwords',
'Cryptocurrency wallets',
'Shell history',
'SSL certificates',
'Service credentials',
'System metadata']},
'date_detected': '2026-04-22',
'date_publicly_disclosed': '2026-04-22',
'description': 'A supply chain attack targeting the Python package Xinference '
'has exposed users to a sophisticated infostealer malware. '
'Threat actors uploaded malicious versions (2.6.0, 2.6.1, and '
'2.6.2) to the Python Package Index (PyPI) on April 22, 2026, '
'containing heavily obfuscated code designed to exfiltrate '
'sensitive data. The compromised versions execute a '
'base64-encoded payload upon package initialization, '
'harvesting cloud credentials, environment variables, SSH '
'keys, API keys, cryptocurrency wallets, shell history, SSL '
'certificates, and system metadata. The stolen data is sent to '
'a command-and-control server at '
'https://whereisitat[.]lucyatemysuperbox[.]space/. The attack '
'was discovered after a user reported suspicious behavior.',
'impact': {'brand_reputation_impact': 'Negative impact on Xinference and PyPI '
'trust',
'data_compromised': 'Cloud credentials (AWS, GCP, Kubernetes), '
'environment variables, SSH keys, API keys, '
'database passwords, cryptocurrency wallets, '
'shell history, SSL certificates, service '
'credentials (Slack, Discord, Postfix), system '
'metadata',
'identity_theft_risk': 'High (PII and credentials exfiltrated)',
'operational_impact': 'Potential unauthorized access to cloud '
'services and sensitive systems',
'systems_affected': 'Systems running malicious Xinference versions '
'(2.6.0, 2.6.1, 2.6.2)'},
'initial_access_broker': {'backdoors_established': 'Malicious payload in '
'__init__.py',
'entry_point': 'Malicious package upload via bot '
'account (XprobeBot)',
'high_value_targets': 'Cloud credentials, API keys, '
'cryptocurrency wallets',
'reconnaissance_period': 'Bot account active since '
'October 2025'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Growing threat of supply chain attacks via compromised '
'maintainer accounts or automated bots; need for stricter '
'package verification on PyPI.',
'motivation': 'Data Theft, Credential Harvesting',
'post_incident_analysis': {'corrective_actions': 'Removal of malicious '
'versions, recommendation to '
'use safe versions (2.5.0 or '
'earlier).',
'root_causes': 'Compromised maintainer account or '
'automated bot (XprobeBot) '
'inserting malicious code into '
'Xinference package.'},
'recommendations': 'Users should verify package integrity, avoid using '
'compromised versions (2.6.0-2.6.2), and monitor for '
'unauthorized access to cloud services.',
'references': [{'source': 'User Report and Xinference Developer '
'Confirmation'}],
'response': {'communication_strategy': 'Public disclosure via user reports '
'and developer confirmation',
'containment_measures': 'Safe version (2.5.0 or earlier) '
'recommended',
'remediation_measures': 'Removal of malicious versions from '
'PyPI'},
'stakeholder_advisories': 'Xinference developers advised users to downgrade '
'to safe versions.',
'threat_actor': 'Unknown (payload references TeamPCP, but group denies '
'involvement)',
'title': 'Malicious Xinference Versions on PyPI Steal Cloud Credentials and '
'Sensitive Data',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Compromised package versions (2.6.0, 2.6.1, '
'2.6.2)'}