Feed
CriticalPublished 22 Apr 20261 package · 3 versions

Xinference PyPI package backdoored on import

Summary

JFrog flagged three consecutive xinference releases (2.6.0-2.6.2) on PyPI carrying a TeamPCP-style payload embedded in xinference/__init__.py that fires on import. The malware base64-encodes a stage-1 wrapper containing the comment # hacked by teampcp, then spawns a detached subprocess that bundles harvested data into love.tar.gz and POSTs it with a custom X-QT-SR: 14 header. TeamPCP publicly denied involvement, claiming a copycat. 600,000+ downloads of malicious wheels.

credential-theftinfostealerobfuscation
Threat actor
TeamPCP (disputed — actor denies)
Detected by
JFrog
Also known as
TeamPCP family payload · xinference backdoor
Ecosystems
PyPI
Packages tracked
1

What happened

JFrog flagged three consecutive xinference releases (2.6.0, 2.6.1, 2.6.2) on PyPI carrying a backdoor matching the TeamPCP family of payloads. The trigger is import-time — the malicious code lives in xinference/__init__.py, so pip install plus any subsequent import xinference is enough to fire it; --ignore-scripts does not help.

The payload is a base64-encoded stage-1 wrapper containing the marker comment # hacked by teampcp. It decodes and spawns a detached subprocess that gathers environment variables, common cloud-credential files, SSH material, and AI-tool configs, bundles them as love.tar.gz, and POSTs the archive to whereisitat.lucyatemysuperbox.space with the custom header X-QT-SR: 14.

TeamPCP publicly denied involvement and claimed this was a copycat trying to leverage their name. Either way, the technical fingerprint (# hacked by teampcp marker, love.tar.gz archive, X-QT-SR header) lines up with the earlier litellm, telnyx, and durabletask campaigns published to PyPI under the same banner.

Exposure is meaningful: across the three malicious wheels, JFrog observed 600,000+ downloads before PyPI pulled the versions, with risk concentrated on AI / ML inference infrastructure since xinference is a popular model-serving framework. Block whereisitat.lucyatemysuperbox.space at egress and inspect any host that imported the bad versions for love.tar.gz artefacts.

Affected packages (1)

  • PyPIxinference
    2.6.02.6.12.6.2

Impact

  • Credential and host-data exfiltration for anyone importing xinference 2.6.0-2.6.2
  • Risk concentrated on AI/ML infrastructure that uses xinference as a serving framework
  • Import-time execution bypasses install-script-blocking defences

What to do

  1. 1Yank / uninstall xinference 2.6.0-2.6.2; pin to a known-good prior version
  2. 2Rotate any credentials accessible to environments where xinference was imported
  3. 3Block whereisitat.lucyatemysuperbox.space at egress
  4. 4Inspect for love.tar.gz artefacts on AI inference hosts

References

pypi-2026-04-22-xinference-teampcp