Xinference AI Package Compromised on PyPI in TeamPCP Wave

The AI inference library xinference joined the growing list of PyPI packages hijacked in 2026's supply chain attack wave. Versions 2.6.0, 2.6.1, and 2.6.2 contained credential-stealing malware that targeted cloud infrastructure credentials, SSH keys, and cryptocurrency wallets—following the same pattern we've tracked across recent hacking news this month.

Xinference has over 680,000 total downloads on PyPI. The package powers AI and LLM inference workloads across production environments, making its users high-value targets with access to cloud platforms and sensitive infrastructure.

Part of a Larger Campaign

This compromise occurred on April 22, 2026, sandwiched between attacks on elementary-data (which we covered earlier today) and the PyTorch Lightning compromise that hit the machine learning community last week.

According to JFrog's security research team, the malicious code was injected directly into xinference/__init__.py. This placement ensures the payload executes whenever the package is imported—including during CLI startup, service initialization, or any downstream library that checks the package version.

The first stage payload begins with a comment that reads # hacked by teampcp, establishing attribution before unpacking a base64-encoded collector script.

What the Malware Steals

The credential harvester targets:

• SSH keys and configuration files
• Cloud provider credentials (AWS, Azure, GCP)
• Environment variables from development machines
• Cryptocurrency wallet data
• API tokens and configuration files

The stolen data gets compressed into an archive named love.tar.gz and exfiltrated to the attacker's command-and-control server at whereisitat.lucyatemysuperbox.space using a custom HTTP header.

Unlike previous TeamPCP campaigns that encrypted exfiltrated data, the xinference payload sends plain tar archives directly to the C2. This deviation sparked debate among researchers about whether the attack is genuinely TeamPCP's work or a copycat operation.

TeamPCP Denies Involvement

TeamPCP posted on social media denying responsibility for the xinference compromise, claiming a copycat attacker used their name and malicious payload framework. However, security researchers at GitGuardian noted the injection pattern and multi-version cadence remain consistent with established TeamPCP tradecraft.

The threat actor has been on a tear since March 2026. Their campaign began with exploiting a misconfigured GitHub Actions workflow in Aqua Security's Trivy scanner, which cascaded into compromises across SAP npm packages, Bitwarden CLI, LiteLLM, Telnyx, and multiple other high-profile libraries.

Whether TeamPCP directly executed this attack or inspired a copycat, the outcome remains the same: developers running these package versions had their credentials harvested.

Why AI/ML Packages Are Prime Targets

AI inference libraries like xinference operate in environments with elevated privileges. Developers and engineers using these packages typically have:

• Direct access to cloud platforms running AI workloads
• Credentials for model registries and training pipelines
• API keys for commercial AI services
• Access to production databases feeding ML systems

A compromised developer machine in an AI team often provides a direct path to the organization's most sensitive infrastructure. The OAuth token abuse surge we covered shows attackers increasingly targeting these authentication mechanisms.

Immediate Remediation Steps

If you installed xinference versions 2.6.0, 2.6.1, or 2.6.2, treat your environment as compromised:

1. Remove the affected version and upgrade to a clean release
2. Rotate all cloud provider credentials (AWS access keys, Azure service principals, GCP service accounts)
3. Regenerate SSH keys on affected machines
4. Review cloud access logs for unauthorized API calls
5. Check CI/CD pipeline secrets that may have been exposed
6. Audit any cryptocurrency wallets accessible from development systems

For teams running xinference in containers, rebuild images from verified source rather than just updating the version pin.

Indicators of Compromise

Indicator	Value
Malicious versions	2.6.0, 2.6.1, 2.6.2
C2 domain	whereisitat.lucyatemysuperbox.space
Exfil archive name	love.tar.gz
HTTP header	X-QT-SR: 14
Code marker	# hacked by teampcp

Supply Chain Defense for AI Teams

The concentration of attacks against AI/ML packages isn't coincidental. These libraries have high download counts, run in privileged environments, and are maintained by small teams who may lack security resources.

Organizations deploying AI infrastructure should:

• Pin dependencies to specific versions with hash verification
• Run package installations in isolated sandbox environments before production
• Monitor for unusual package updates using dependency scanning tools
• Require code review for any dependency version changes
• Use private package registries that proxy and scan upstream packages

For broader context on defending against supply chain malware, our malware defense guide covers detection and response strategies.

The malicious xinference versions have been removed from PyPI. Check your lockfiles and container manifests to confirm you're running clean versions.