A severe supply chain attack has compromised the popular Python package Xinference, exposing developers worldwide to massive data theft. Threat actors successfully uploaded malicious versions of the tool to the Python Package Index (PyPI), embedding a heavily obfuscated infostealer directly into the source code.
With over 600,000 total downloads, Xinference represents a highly lucrative target, making this a significant security event for the broader software development community.
Interestingly, while the malicious script leaves a comment explicitly referencing the threat group TeamPCP, the collective has publicly denied any involvement through their official X account.
This incident highlights the ongoing vulnerability of open-source repositories to sophisticated credential harvesting campaigns.
How the PyPI Attack Unfolded
According to threat intelligence from OX Security, the breach began when attackers likely compromised an automated account named XprobeBot.
This service account had been actively managing the repository since October 2025, providing attackers with a trusted vector to inject malicious code without immediately triggering alarms.
On April 22, 2026, the compromised bot account committed a malicious, base64-encoded payload directly into the package’s primary __init__.py file.
Because of this highly strategic file placement, the malware executes the exact moment a developer imports the Xinference package into their Python project.
It does not require any complex installation hooks; merely initializing the tool triggers the full infection chain. Xinference developers officially confirmed the security breach after a vigilant user reported highly suspicious system behavior following a routine version update.
Once the initial base64 code runs, it immediately decodes a secondary payload containing the primary infostealer malware.
This aggressive script begins hunting for sensitive information across the infected machine and gathers high-value assets into a compressed archive. It then silently transmits this stolen data to a remote command-and-control server maintained by the attackers.
The infostealer is incredibly thorough and actively searches for several critical data categories:
- Cloud infrastructure configurations for AWS, Google Cloud, and Kubernetes.
- System environment variables, private SSH keys, and SSL certificates.
- Developer API keys, terminal shell history, and database credentials for platforms like SQL, Redis, or MongoDB.
- Cryptocurrency wallets for popular coins like Bitcoin, Ethereum, Dogecoin, and Monero.
- Service credentials and webhooks for platforms like Discord, Slack, and Postfix.
Mitigation
Developers who recently installed or updated Xinference without pinning their specific software dependencies are at severe risk of network compromise.
The malicious package versions distributing the infostealer are specifically identified as 2.6.0, 2.6.1, and 2.6.2. Currently, the latest safe version available for developers on PyPI is 2.5.0.
If your organization utilizes this tool, you must investigate your development environment immediately to prevent unauthorized access.
Security teams and developers should take the following steps to secure their infrastructure:
- Downgrade the Xinference package to version 2.5.0 immediately to remove the active threat.
- Rotate all API keys, cloud credentials, and database passwords that exist on the affected machines.
- Enable two-factor authentication on all vital infrastructure and developer accounts.
- Audit your cloud environments, CI/CD pipelines, and version control systems for unauthorized access.
- Pin all future package dependencies to specific, verified versions to stop automatic malicious updates.
No Comment! Be the first one.