TeamPCP is back.
The xinference PyPI package (680K downloads, 9.3K stars) was hijacked. Import it and your cloud credentials, SSH keys, and .env secrets are instantly harvested and exfiltrated.
Versions 2.6.0โ2.6.2 are malicious. If you installed them, assume compromise and rotate everything now.
Full technical breakdown ๐
@treasureteen Newly added skills repository in JFrog artifactory, among all other binaries and content.
You publish skills, Claude (and every other agent) can fetch skills natively.
You have private repositories, repositories per teams and everything.
(I'm from JFrog)
๐จ Security Alert: The Telnyx PyPI package was found to contain a malicious payload in versions 4.87.1 and 4.87.2.
Avoid these versions immediately and rotate any potentially exposed credentials. More details coming soon.