TeamPCP threat actors have injected a sophisticated two-stage credential stealer into the xinference PyPI package, compromising the Python package supply chain. This malware is designed to steal user credentials through a multi-stage deployment process. The attack targets developers and users who install the compromised package from the Python Package Index. This represents a significant supply chain attack that could affect numerous Python projects and their users. The incident highlights the ongoing security risks in open-source package repositories.