xinference - isotope¹³

Incident Summary

Xinference PyPI Two-Stage Credential Stealer

TeamPCP compromised three consecutive xinference PyPI releases, 2.6.0 through 2.6.2, by adding an import-time two-stage Python credential stealer to xinference/__init__.py. The attacker iterated the trigger across releases but kept the same core behavior: collect SSH keys, environment variables, cloud and Kubernetes credentials, package-manager tokens, CI/CD files, shell history, and wallet material, then archive and exfiltrate the results to attacker infrastructure. The incident is notable for its rapid multi-version refinement and for sharing TeamPCP markers and injection patterns with the LiteLLM and Telnyx compromises.

Date: 2026-04-22
Category: Open Source
Target Surface: Package registry
Insertion Phase: distribution
Impact: Credential theft
Cause: Compromised Account/Credentials

What Was Affected

Package xinference

LanguagePython

ComponentLibrary

Artifact typesource archive

Domain typepackage host

Domain pypi.org

Repository github.com/xorbitsai/inference

Compromised Versions

Incident Context

Motive: Credential Theft
Attribution: Advanced Persistent Threat
Transitive: Yes
User Impact: 0
Observed Duration: 0 days

Evidence

Compromised Artifacts

Indicators and Changes

Hashes

sha256:f677cd06e0dfbd23b6feb47f31d49cb8fcc88ed0487d30143d36d4f54261e3de
sha256:4c5c589f543b1a02251451ab3baaeed7c82851de10fa33f87b95a85e3040c92e
sha256:96007d4ee4171e383cecdf7a34b606bfcb78eff435182dc86daa49a17153dcd3

External References

stepsecurity.io/blog/teampcp-injects-two-stage-credential-stealer-into-xinference-pypi-package

Source Data

Source record: oss/xinference/meta.yaml