Date: 04/28/2026
Severity: High
Summary
The Xinference PyPI supply chain attack involved malicious package versions (2.6.0–2.6.2) that executed hidden, obfuscated code when imported. The payload used techniques like base64 encoding to evade detection and silently run in the background. Once active, it harvested sensitive data including SSH keys, API tokens, cloud credentials, and system information, which was then exfiltrated to a remote server. This enabled further cloud abuse and also targeted cryptocurrency wallets, highlighting the growing risk of open-source supply chain attacks.
Indicators of Compromise (IOC) List
Domain : | https://whereisitat.lucyatemysuperbox.space/ |
Hash : | e1e007ce4eab7774785617179d1c01a9381ae83abfd431aae8dba6f82d3ac127
0fd4d0234c994768a9c4bd3b8f71aa27100f6fd9bb345ddea9b0af7524d14a80
1720f08544981f0c71acd1fa81c49bb45623dbc085adcdfc91be91bf3e9f6ac3
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://whereisitat.lucyatemysuperbox.space/" or url like "https://whereisitat.lucyatemysuperbox.space/" or siteurl like "https://whereisitat.lucyatemysuperbox.space/" |
Detection Query 2 : | sha256hash IN ("1720f08544981f0c71acd1fa81c49bb45623dbc085adcdfc91be91bf3e9f6ac3","e1e007ce4eab7774785617179d1c01a9381ae83abfd431aae8dba6f82d3ac127","0fd4d0234c994768a9c4bd3b8f71aa27100f6fd9bb345ddea9b0af7524d14a80")
|
Reference:
https://gurucul.com/blog/xinference-pypi-supply-chain-attack-credential-theft-cloud-abuse-and-crypto-wallet-targeting/