ACCORDING to StepSecurity Threat Intelligence, xinference versions 2.6.0, 2.6.1 and 2.6.2 on PyPI carried a two-stage credential-stealing payload injected directly into xinference/__init__.py, harvesting SSH keys, cloud credentials and environment variables on import. The campaign is attributed to TeamPCP, the same actor linked to the litellm and telnyx compromises, with the actor marker “# hacked by teampcp” embedded in the decoded payload.
On 22 April 2026, three releases were confirmed, each yanked from PyPI, and the exfiltration targeted a domain whereisitat.lucyatemysuperbox[.]space, with archives named love.tar[.]gz and a curl POST used for exfiltration. The injection evolved from module-scope in 2.6.0 to inside the _install() function in 2.6.1 and 2.6.2, where 2.6.2 restored a detached subprocess[.]Popen for asynchronous operation.
StepSecurity notes that Harden-Runner blocked the outbound exfiltration in a GitHub Actions run, preventing credentials from leaving the runner, and urges immediate credential rotation and remediation for affected systems.