TeamPCP threat actor injected a two-stage credential stealer into the xinference PyPI package, compromising the software supply chain. This attack targets developers and users who install the malicious package, potentially stealing credentials and sensitive information. The malware operates in two stages, likely to evade detection and maximize data collection. This represents a significant supply chain security incident affecting the Python ecosystem. Organizations using xinference package should immediately assess their exposure and update to clean versions.