Supply Chain Poisoning via PyPI Repository Compromise
Essential information
- Published
- 27/04/2026 13:40
- Modified
- 27/04/2026 14:58
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- ai framework base64 encoding cloud exploitation credential theft pypi compromise supply chain attack teampcp xinference
- Tags
- 2026-04-27 ai framework base64 encoding cloud exploitation credential-theft pypi compromise supply chain attack teampcp xinference
- Related entities
- 4 indicators, 4 observables, 20 techniques (mitre), 2 others
Description
Xinference, an open-source distributed AI model inference framework, suffered a supply chain attack when attackers compromised PyPI release credentials of maintainers and published three malicious versions (2.6.0, 2.6.1, 2.6.2) on April 22, 2026. The malicious code, encoded in Base64 layers within __init__.py, executes automatically upon library installation or import, collecting cloud credentials, SSH keys, API tokens, database passwords, cryptocurrency wallets, and environment variables. The payload specifically targets AWS environments through metadata service exploitation and uploads stolen data to attacker-controlled infrastructure. The attack affects users who downloaded these versions from PyPI, which has over 680,000 total downloads. Attribution remains unclear as TeamPCP's name appears in the code but the group denies involvement, suggesting third-party impersonation.