Xinference PyPI package backdoored on import
JFrog flagged three consecutive xinference releases (2.6.0-2.6.2) on PyPI carrying a TeamPCP-style payload embedded in xinference/__init__.py that fires on import. The malware base64-encodes a stage-1 wrapper containing the comment # hacked by teampcp, then spawns a detached subprocess that bundles harvested data into love.tar.gz and POSTs it with a custom X-QT-SR: 14 header. TeamPCP publicly denied involvement, claiming a copycat. 600,000+ downloads of malicious wheels.
- Threat actor
- TeamPCP (disputed — actor denies)
- Detected by
- JFrog
- Also known as
- TeamPCP family payload · xinference backdoor
- Ecosystems
- PyPI
- Packages tracked
- 1
What happened
JFrog flagged three consecutive xinference releases (2.6.0, 2.6.1, 2.6.2) on PyPI carrying a backdoor matching the TeamPCP family of payloads. The trigger is import-time — the malicious code lives in xinference/__init__.py, so pip install plus any subsequent import xinference is enough to fire it; --ignore-scripts does not help.
The payload is a base64-encoded stage-1 wrapper containing the marker comment # hacked by teampcp. It decodes and spawns a detached subprocess that gathers environment variables, common cloud-credential files, SSH material, and AI-tool configs, bundles them as love.tar.gz, and POSTs the archive to whereisitat.lucyatemysuperbox.space with the custom header X-QT-SR: 14.
TeamPCP publicly denied involvement and claimed this was a copycat trying to leverage their name. Either way, the technical fingerprint (# hacked by teampcp marker, love.tar.gz archive, X-QT-SR header) lines up with the earlier litellm, telnyx, and durabletask campaigns published to PyPI under the same banner.
Exposure is meaningful: across the three malicious wheels, JFrog observed 600,000+ downloads before PyPI pulled the versions, with risk concentrated on AI / ML inference infrastructure since xinference is a popular model-serving framework. Block whereisitat.lucyatemysuperbox.space at egress and inspect any host that imported the bad versions for love.tar.gz artefacts.
Affected packages (1)
- PyPI
xinference2.6.02.6.12.6.2
Impact
- Credential and host-data exfiltration for anyone importing xinference 2.6.0-2.6.2
- Risk concentrated on AI/ML infrastructure that uses xinference as a serving framework
- Import-time execution bypasses install-script-blocking defences
What to do
- 1Yank / uninstall xinference 2.6.0-2.6.2; pin to a known-good prior version
- 2Rotate any credentials accessible to environments where xinference was imported
- 3Block
whereisitat.lucyatemysuperbox.spaceat egress - 4Inspect for
love.tar.gzartefacts on AI inference hosts