Xinference PyPI release stole credentials

On April 22, 2026, three consecutive releases of xinference, a widely deployed open-source framework for serving large language models, went to PyPI carrying a credential stealer wired into the package's top-level import.

Researchers at StepSecurity said the malicious code was added to xinference/__init__.py in versions 2.6.0, 2.6.1, and 2.6.2, so any process that imported the library, including the inference server itself on startup, ran the payload. The attacker iterated visibly across the three releases. Version 2.6.0 executed a base64-decoded blob at module scope. Version 2.6.1 wrapped the same logic in an _install() function and ran it synchronously with exec(). Version 2.6.2 kept the function-level hiding but moved execution into a detached subprocess.Popen call so the parent import would return cleanly.

The decoded first stage carried the marker # hacked by teampcp. It launched a second Python collector, wrote the harvested material to a temporary file, compressed it as love.tar.gz, and POSTed it to whereisitat.lucyatemysuperbox.space with the custom header X-QT-SR: 14. The collector targeted what tends to sit on a model-serving host: SSH keys, cloud credentials, Kubernetes tokens, Docker auth files, .env files, shell histories, TLS private keys, and cryptocurrency wallets.

StepSecurity noted that this variant did not carry the RSA wrapping seen in earlier TeamPCP payloads against LiteLLM and Telnyx, leaving open the possibility of a copycat. The on-disk marker, the choice to plant in __init__.py, and the rapid three-version iteration over a few hours nonetheless match TeamPCP tradecraft from the same week.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• TeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Packagestepsecurity.io