TeamPCP Compromises Xinference PyPI Package in Latest Supply Chain Attack

Summary

The JFrog security research team has identified a supply chain attack targeting the xinference package on PyPI, with versions 2.6.0, 2.6.1, and 2.6.2 compromised by the threat actor TeamPCP. The attack follows the group's established pattern of hijacking legitimate packages by injecting base64-encoded malicious payloads into core modules that execute immediately upon import. This marks the latest in an ongoing multi-ecosystem campaign by TeamPCP, who have previously compromised other major Python packages including litellm and telnyx, as well as targets in npm, Go, OpenVSX, and GitHub repositories.

The malicious code embedded in xinference/init.py executes a two-stage attack: the first stage harvests sensitive data and exfiltrates it to attacker-controlled infrastructure, while the second stage performs host reconnaissance and collects a comprehensive range of secrets including SSH keys, AWS credentials, Kubernetes tokens, Docker registry authentication, database credentials, and cryptocurrency wallet files. The payload is designed to hide from the main application process by spawning a detached subprocess that suppresses all output. Users who installed or imported the compromised versions must assume their environments are fully compromised and take immediate remediation steps.

• The attack specifically targets production environments, CI/CD runners, and cloud VMs where sensitive credentials are likely to be present
• Users of affected versions must assume complete environment compromise and perform full security audits and credential rotation