Xinference PyPI Package Compromised in Supply Chain Attack
Take action: If you're using Xinference, immediately check if you have versions 2.6.0, 2.6.1, or 2.6.2 installed and downgrade to version 2.5.0, which is the last safe release. Since the malicious versions steal credentials, you must also rotate all API keys, cloud secrets, SSH keys, and database passwords that may have been exposed on affected systems.
Learn More
Xinference, an AI model inference platform, suffered a supply chain attack on the Python Package Index (PyPI) involving versions 2.6.0, 2.6.1, and 2.6.2. No CVE identifiers have been assigned to these malicious releases at this time, and CVSS scores have not been assigned yet.
The breach occurred when a compromised automated account, XprobeBot, added malicious code to the package's initialization files.
The malicious package injects infostealer code that executeson package import to harvest cloud credentials and system secrets. This allows attackers to gain full control over cloud environments and sensitive data.
The infostealer targets cloud credentials for AWS (including Secrets Manager), Google Cloud (GCP), Kubernetes (K8s) tokens, system environment variables, SSH private and public keys, database credentials and hardcoded API keys from configuration files. Naturally the infostealer also looks for cryptocurrency wallet data for Bitcoin, Ethereum, Monero, and other digital assets.
The malicious code mentions the threat group 'TeamPCP,' but the group denied involvement on social media. Developers confirmed that versions 2.6.0 through 2.6.2 are malicious, while version 2.5.0 is the last safe release on PyPI.
Organizations must check their systems for the affected versions and downgrade to version 2.5.0 immediately. Because the malware steals credentials, simply deleting the package is not enough; you must rotate all API keys, cloud secrets, and SSH keys.
