Critical Supply Chain Compromise: Malicious Infostealer Detected in Xinference Python Package

The software development community is facing a significant security milestone as a sophisticated supply chain attack has successfully targeted Xinference, a widely-used Python package. With over 600,000 cumulative downloads, the reach of this compromise poses a substantial risk to developers and organizations globally, potentially exposing them to massive data exfiltration.

Threat actors managed to inject a heavily obfuscated infostealer directly into the Python Package Index (PyPI), compromising the integrity of the package and turning a trusted utility into a vehicle for cyber espionage.

Suspicious Version (Source: OX security)
Suspicious Version identified in the package (Source: OX security)

Interestingly, the malicious script contains a signature attributing the attack to a group known as TeamPCP. However, in a classic case of “false flag” or attribution confusion, the group has officially denied any involvement via their social media presence on X.

Technical Breakdown: The Anatomy of the Breach

According to detailed forensic analysis by OX Security, the entry point into the supply chain appears to be the compromise of an automated account. An account named XprobeBot—which has been active within the ecosystem since October 2025—was likely hijacked to facilitate the injection.

On April 22, 2026, the attackers utilized this bot to commit a malicious, base64-encoded payload directly into the package’s __init__.py file. This specific placement is particularly insidious: because __init__.py is executed the moment a developer performs a standard import xinference statement, the malware achieves immediate execution upon initialization of the package in any Python environment.

Hackers by TEam PCP(Source: OX Security)
Code snippet analysis (Source: OX Security)

The breach was brought to light after a user reported anomalous system behavior following a routine package update. Once the initial obfuscated code runs, it acts as a “dropper,” decoding and executing a secondary payload containing a high-performance infostealer. This malware performs a deep reconnaissance of the host machine, hunting for high-value digital assets.

The script identifies, archives, and silently exfiltrates sensitive data to a remote Command-and-Control (C2) server. The targeted data categories include:

  • Cloud Infrastructure: Configuration files for AWS, Google Cloud, and Kubernetes (K8s).
  • System Secrets: Environment variables, private SSH keys, and SSL certificates.
  • Development Credentials: API keys, shell histories (bash/zsh), and database connection strings (SQL, Redis, MongoDB).
  • Financial Assets: Cryptocurrency wallet files for Bitcoin, Ethereum, Dogecoin, and Monero.
  • Communication Tokens: Webhooks and service credentials for Discord, Slack, and Postfix.

Immediate Remediation and Incident Response

If your development environment or CI/CD pipelines utilize Xinference, you must act immediately. The malicious versions are identified as 2.6.0, 2.6.1, and 2.6.2. The last known clean version is 2.5.0.

Recommended Action Plan:

  • Immediate Downgrade: Force your environment to use xinference==2.5.0 to eliminate the active threat.
  • Credential Rotation: Assume all secrets on the infected machine are compromised. Rotate all cloud API keys, SSH keys, and database passwords immediately.
  • Enforce MFA: Ensure Multi-Factor Authentication is active across all critical infrastructure and service accounts to mitigate the impact of stolen credentials.
  • Environment Audit: Conduct a thorough review of cloud environments and CI/CD logs for any unauthorized lateral movement or unusual API calls.
  • Dependency Pinning: To prevent future “dependency confusion” or automated malicious updates, always use strict version pinning (e.g., package==version) in your requirements.txt or pyproject.toml files.

Related Articles

Back to top button