Trojanized Xinference PyPI Releases Deployed a Multi-Stage Credential Stealer
Three consecutive xinference releases on PyPI—2.6.0, 2.6.1, and 2.6.2—were compromised with malicious code injected into xinference/__init__.py, causing a payload to run on import before the packages were yanked by maintainers. Researchers said the trojanized package launched a detached Python subprocess that decoded and executed a multi-stage stealer, with later versions refining the injection to make it less obvious while preserving the same second-stage collector. JFrog and StepSecurity linked the activity to the broader TeamPCP campaign based on payload structure, actor markers, and tradecraft, though JFrog noted the group publicly denied involvement and claimed a copycat reused its name and tooling.
The malware harvested SSH keys, cloud credentials, Kubernetes tokens, package manager secrets, environment files, TLS keys, developer secrets, and cryptocurrency wallets, and included AWS-focused logic to query instance metadata and enumerate secrets-related services. Stolen data was archived as love.tar.gz and exfiltrated to whereisitat.lucyatemysuperbox.space using a POST request with the custom header X-QT-SR: 14; StepSecurity said its Harden-Runner blocked the outbound transfer in testing. Security firms advised organizations to treat any host that installed or imported the affected versions as fully compromised, rotate all accessible credentials, audit logs for misuse, and rebuild impacted environments from a trusted baseline.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Gurucul publishes IOCs and detection guidance for malicious xinference releases
Gurucul released additional technical details on the xinference PyPI compromise, including SHA-256 hashes and detection queries to help defenders identify affected systems and related activity. The report also emphasized theft of SSH keys, API tokens, cloud credentials, and cryptocurrency wallet data from versions 2.6.0, 2.6.1, and 2.6.2.
Further reporting warns js-logger-pack 1.1.27 compromises hosts
Subsequent coverage highlighted that systems executing js-logger-pack version 1.1.27 should be considered fully compromised until persistence is removed and secrets are rotated. The reporting reiterated that the package abused Hugging Face both as a malware CDN and as an exfiltration backend.
TeamPCP publicly denies involvement in xinference compromise
An update in JFrog's reporting said TeamPCP publicly denied responsibility for the xinference attack and claimed a copycat used its name and payload. This introduced uncertainty into the initial attribution.
JFrog and StepSecurity publish analyses linking xinference attack to TeamPCP or copycat
On the same day the malicious xinference releases were disclosed, JFrog and StepSecurity published technical analyses of the compromise. Both linked the activity to the broader TeamPCP campaign based on payload overlaps, while noting the possibility that the actor was a copycat rather than TeamPCP itself.
Maintainers yank compromised xinference releases from PyPI
After the malicious behavior was identified, the xinference maintainers removed versions 2.6.0, 2.6.1, and 2.6.2 from PyPI. Security researchers advised treating any host that installed or imported those versions as compromised and rotating exposed secrets.
Trojanized xinference 2.6.0, 2.6.1, and 2.6.2 released on PyPI
Three consecutive xinference releases published on PyPI on April 22, 2026 contained malicious code injected into xinference/__init__.py that executed on import. The payload harvested credentials and sensitive files, then exfiltrated them to whereisitat.lucyatemysuperbox.space as love.tar.gz using a custom X-QT-SR: 14 header.
JFrog details js-logger-pack using Hugging Face for payload hosting and exfiltration
JFrog reported that malicious js-logger-pack versions, including 1.1.27, downloaded cross-platform implant binaries from the attacker-controlled Hugging Face repository Lordplay/system-releases. The implant established persistence, communicated with C2 at 195.201.194.107:8010, and exfiltrated stolen data into private Hugging Face datasets controlled by the attacker.
Malicious js-logger-pack versions tracked as MAL-2026-2827
SafeDep and OSV previously tracked malicious npm package activity involving js-logger-pack as MAL-2026-2827 before JFrog published its deeper technical analysis. The campaign involved trojanized package versions that acted as a supply-chain dropper.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Xinference PyPI Supply Chain Attack: Credential Theft, Cloud Abuse, and Crypto Wallet Targeting | Community Portal | Gurucul
community.gurucul.com
Open sourceXinference PyPI Supply Chain Poisoning Warning - NSFOCUS
nsfocusglobal.com
Open sourceMalicious npm Package Turns Hugging Face Into Malware CDN and Exfiltration Backend
cybersecuritynews.com
Open sourceTeamPCP strikes again: Xinference PyPI package compromised - Infosec.Pub
infosec.pub
Open sourceTeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Package - StepSecurity
stepsecurity.io
Open sourceTeamPCP strikes again: Xinference PyPI package compromised - JFrog Security Research
research.jfrog.com
Open sourcejs-logger-pack Operator Turns Hugging Face into a Malware CDN and Exfiltration Backend - JFrog Security Research
research.jfrog.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Backdoored LiteLLM PyPI Releases Stole Secrets and Targeted Kubernetes Clusters
Malicious versions `1.82.7` and `1.82.8` of the widely used `litellm` Python package were uploaded to PyPI after attackers used compromised publishing access, turning a popular AI gateway library into a supply-chain malware delivery vehicle. Researchers and project maintainers said the tainted code was absent from the upstream GitHub repository, indicating the compromise occurred in the release pipeline or during package publication. The malware executed on import in `1.82.7`, while `1.82.8` added a `litellm_init.pth` file that triggered on every Python interpreter startup, greatly expanding exposure even beyond direct use of the package. PyPI removed or quarantined the malicious releases, and `1.82.6` was identified as the last known clean version. The payload harvested a broad range of secrets, including cloud credentials, SSH keys, API tokens, Kubernetes service-account tokens, database and CI/CD secrets, `.env` files, shell histories, TLS keys, and cryptocurrency wallet data, then encrypted and exfiltrated the data to attacker-controlled infrastructure including `models.litellm.cloud`. Multiple reports said the malware also attempted Kubernetes lateral movement by enumerating clusters, dumping secrets, and deploying privileged pods across nodes, while establishing Linux persistence through a disguised `systemd` user service that contacted `checkmarx.zone` for follow-on payloads. Researchers linked the intrusion with high confidence to **TeamPCP**, tying it to the earlier Trivy compromise and a broader campaign spanning GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI; organizations that installed and ran the affected versions were urged to assume full credential compromise, rotate secrets, inspect for persistence, and review Kubernetes environments for rogue activity.
Jun 15, 2026
Compromised `mistralai` PyPI Package Deployed Linux Credential-Stealing Malware
Microsoft Threat Intelligence warned that version `2.4.6` of the widely used `mistralai` package on PyPI was compromised in a software supply-chain attack, with malicious code inserted into `mistralai/client/__init__.py`. The code executed on import, retrieved a second-stage payload from a remote server, and deployed malware on Linux systems. The payload was written to `/tmp/transformers.pyz` to resemble legitimate Hugging Face tooling, while additional components including `pgmonitor.py` and a persistent `systemd` service named `pgsql-monitor.service` were used to blend into developer and database-monitoring environments. Microsoft said the malware primarily targeted credentials and persistence, with the potential to expose GitHub tokens, cloud API keys, SSH keys, npm credentials, and CI/CD secrets. Researchers said the intrusion may be tied to the broader **Mini Shai-Hulud** campaign, which has also been associated with compromised TanStack packages and multiple Mistral npm SDK packages, suggesting an expanding effort against developer ecosystems and trusted package repositories. The malware also contained geo-aware logic, including a destructive branch that could trigger system wiping on hosts appearing to be in Israel or Iran, while avoiding Russian-language systems. Microsoft urged defenders to isolate affected Linux hosts, block outbound connections to the malicious infrastructure, hunt for indicators including `/tmp/transformers.pyz`, `pgmonitor.py`, and `pgsql-monitor.service`, and rotate any credentials that may have been exposed.
May 25, 2026
Malicious PyPI Packages Hit LiteLLM and PyTorch Lightning With Credential-Stealing Backdoors
Two widely used Python packages, **LiteLLM** and **PyTorch Lightning**, were distributed on PyPI with malicious code that executed during installation or import and attempted to steal credentials and establish persistence. In the LiteLLM incident, versions `1.82.7` and `1.82.8` were flagged as compromised, with maintainers and downstream projects warning that a `litellm_init.pth` file contained data-exfiltration malware that sent information to `models.litellm.cloud`. Public advisories and community tooling were released to help users determine whether their machines had been affected, while third-party analysis described the package as combining credential theft with a persistent backdoor. In the PyTorch Lightning incident, version `2.6.3` on PyPI was found to trigger a hidden execution chain as soon as the package was imported, launching a background process that downloaded the **Bun** runtime from GitHub and ran an obfuscated JavaScript payload named `router_runtime.js`. Microsoft Threat Intelligence said Defender detected and blocked the activity, tracked as **ShaiWorm**, and reported that only a small number of devices in a narrow set of environments were affected. The malware targeted browser data, `.env` files, API keys, GitHub tokens, and cloud credentials across **AWS**, **Azure**, and **GCP**, and also supported arbitrary command execution; Lightning AI reverted the package to `2.6.1`, urged anyone who imported `2.6.3` to rotate all secrets immediately, and said it is investigating a possible compromise of its build or release pipeline.
May 25, 2026