Xinference Attack: A Wake-Up Call for Python Developers

On April 22, security firms including JFrog and Mend.io flagged the tampered releases after users reported suspicious behavior. The malicious code, injected into the package's __init__.py file via a commit by a compromised bot account called XprobeBot, executes immediately when the package is imported. The payload uses double base64 encoding to conceal a credential-harvesting routine that sweeps the host for an extensive list of sensitive data — AWS, GCP, and Azure credentials, Kubernetes tokens, SSH keys, database passwords, cryptocurrency wallet files, Docker configs, shell histories, and environment variables. The stolen data is bundled into a tar archive and exfiltrated over HTTPS to an attacker-controlled domain.

Xinference, built by Xorbits, is an open-source framework for self-hosting large language models, embedding models, and image generation at scale. The package has accumulated over 600,000 total downloads on PyPI.

The attack bears the hallmarks of TeamPCP, a threat actor group tracked across multiple supply chain campaigns targeting PyPI, npm, and other ecosystems since March 2026. Code markers referencing TeamPCP appear inside the payload. However, the group denied responsibility on X (formerly Twitter), calling the incident the work of a copycat. JFrog researchers noted the payload structure and targeting profile are consistent with prior TeamPCP compromises of packages including LiteLLM and Telnyx, but acknowledged the attribution remains uncertain.

Notably, the Xinference payload differs from earlier TeamPCP attacks in one respect: it leaves no persistence mechanism on disk. There is no reverse shell, no scheduled task, and no backdoor — only a single-fire credential exfiltration triggered on import.

Tencent Cloud issued a risk notice on April 23, urging affected users to conduct security self-checks and patch immediately. Security researchers across JFrog, Mend.io, and OX Security are advising any developer or organization that installed Xinference versions 2.6.0 through 2.6.2 to rotate all credentials accessible from the compromised machine, including SSH keys, cloud IAM credentials, Kubernetes service account tokens, PyPI and npm publishing tokens, and database passwords. Downgrading to version 2.5.0 — the last known safe release — and pinning dependencies are also recommended.

The incident is part of a broader wave: between April 21 and 23, three distinct supply chain campaigns hit npm, PyPI, and Docker Hub simultaneously, all targeting developer secrets.