Which versions of xinference are malicious?

The following PyPI versions of xinference are flagged malicious: 2.6.0, 2.6.1, 2.6.2. Treat any of these as compromised.

How do I remediate xinference if I installed it?

xinference is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed xinference — how do I know if it already compromised me?

If xinference was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is xinference part of a known attack campaign?

Yes — xinference is associated with the 2026-04-teampcp campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find xinference across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for xinference (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging xinference across your stack and pipelines.

Malicious package

xinferencePyPI

Malicious code in xinference (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-3000

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall xinference

What this malware does

Versions 2.6.0, 2.6.1, 2.6.2 were compromised.

Following a malicious pull request that exfiltrated sensitive data from the CI runner, three malicious PyPI releases were published. Infected releases contain code typical for TeamPCP actions that exfiltrates all kinds of sensitive data (credentials, env variables, SSH keys, cloud tokens, configuration files, shell histories, cryptowallets, data from secret managers...). Malicious action activates during importing the main package's module. TeamPCP denies their involvement.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-04-teampcp

Reasons (based on the campaign):

exfiltration-env-variables
exfiltration-ssh-keys
obfuscation
exfiltration-cloud-tokens
exfiltration-crypto
exfiltration-credentials
compromised-package
exploited-ci-vulnerability

Malicious versions

3 flagged

2.6.02.6.12.6.2

Indicators of compromise (SHA-256)

25da806da7e63e3ef29a6bf9a22495ddb5994053824700948e6740be10a2631c

f288797f91465adeae4842f0207774f4449e72e97db4a5294c21e49ad43feb91

54172efdf42a71a4e8f39d6ddb66b03c848fcedce234a3d5b2d045d895da256b

1d006f6a08c959393160456d4ace221fd165b6d609fc8356ebfb041979aef93d

a7c691db31186531364af84c285bdf565a8973581f09b6cdaf279531e86c0835

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for xinference (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging xinference across your stack and pipelines.
If you installed it — respond
xinference is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If xinference was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks xinference before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. xinference on PyPI has been identified as a malicious package (versions 2.6.0, 2.6.1, 2.6.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-04-teampcp

References

Credits

Kamil Mańkowski (kam193) · analyst

Detect & block this

O3 blocks xinference-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring