The Reveal Platform
This report analyzes a supply chain compromise involving malicious Xinference packages on PyPI, which were used to exfiltrate sensitive data, harvest cloud credentials, and target cryptocurrency wallets.
On April 22, 2026, a user reported that Xinference version 2.6.2 looked suspicious. During installation, they noticed unusual server activity, which raised concerns about a possible security issue. Later, Qinxuye, the Co-founder and CEO of xorbitsai, confirmed that the project was “under attack.” As a result, the affected versions were quickly removed (yanked) to prevent further risk to users.
Three versions of the Xinference package were identified as malicious: Xinference-2.6.0, Xinference-2.6.1, and Xinference-2.6.2. These versions were compromised as part of the supply chain attack and were subsequently removed (yanked) from PyPI by the maintainers to prevent further exposure to users.
Xinference (Xorbits Inference) is an open-source tool that makes it easy to run and serve AI models like large language models (LLMs), speech recognition, and multimodal models. With just one command, developers and researchers can deploy these models on their local machine or in the cloud.
It supports many popular models such as Llama-3, ChatGLM, Whisper, and Baichuan. You can run it on a simple PC (CPU or GPU) or scale it across multiple machines.
Attackers took control of the official Xinference release process and uploaded infected versions to PyPI. The harmful code was placed inside the xinference/__init__.py file, so it runs automatically as soon as the package is imported.
Inside the file, there is a hidden payload encoded in base64. This payload is executed using a separate background process (subprocess.Popen) that starts a new Python interpreter. It runs silently without showing any output or errors, which helps the malware stay hidden from the main application.
In the first stage, the decoded Python script starts with the comment #hacked by teampcp.
The code also contains a hidden second stage of malware that runs quietly in the background. First, it creates a temporary folder on the system. Then it decodes another piece of hidden code (stored in base64 format) and sends it to a new Python process to execute.
The output from the hidden process is written to a temporary file. After that, the file is compressed into an archive (love.tar.gz). This archive likely contains data collected from the system.
Finally, the malware uses a command-line tool (curl) to upload this archive (“https://whereisitat.lucyatemysuperbox.space/”) to a remote server. The request is sent in a way that hides errors and avoids showing any output, making the activity hard to notice. Once done, all temporary files are automatically deleted to remove traces.
These lines collect basic information about the system to understand the environment it is running in. They gather details like the machine name, current user, working directory, operating system, and network configuration. They also list all environment variables, which can sometimes contain sensitive data such as credentials or API keys. This helps the attacker quickly get an overview of the system before performing further actions.
It primarily targets sensitive data commonly found on Linux systems, cloud servers, CI/CD environments, and application hosts.
In addition to local data collection, the malware also targets cloud environments by collecting AWS credentials from the system.
It first checks if AWS access keys are already available in environment variables. If found, it outputs them, including the access key, secret key, and session token, which are all sensitive pieces of information used to access cloud resources.
It then tries to contact the AWS metadata service (a special internal service in cloud environments) to fetch additional credentials linked to the machine’s role. If successful, it retrieves temporary IAM role credentials and updates them for further use. This allows the attacker to gain deeper access to cloud services without needing direct login details.
The code searches the system for cryptocurrency wallet files and private keys. It checks common locations in user folders and looks for files related to Bitcoin, Ethereum, and other digital currencies. It also scans for key files used to access and control these wallets. The goal is to collect sensitive data that can be used to steal cryptocurrency funds from the victim.
TeamPCP denied any involvement in the attack via Twitter, stating that the activity was likely carried out by a copycat actor attempting to impersonate the group using its name and associated malicious payload.
URL : hXXps[:]//whereisitat[.]lucyatemysuperbox[.]space/
2.6.0 – e1e007ce4eab7774785617179d1c01a9381ae83abfd431aae8dba6f82d3ac127
2.6.1 – 0fd4d0234c994768a9c4bd3b8f71aa27100f6fd9bb345ddea9b0af7524d14a80
2.6.2 – 1720f08544981f0c71acd1fa81c49bb45623dbc085adcdfc91be91bf3e9f6ac3
Contributors:
Siva Prasad Boddu
