The attackers compromised legitimate xinference releases rather than publishing a typosquat package, embedding malicious code directly into xinference/init.py. This ensures execution whenever the package is imported, including during application startup or dependency resolution. The payload is delivered as a base64-encoded script executed via a detached subprocess, allowing it to run stealthily in the background while suppressing output and avoiding disruption to the host application.
The malware operates in two stages. The first stage deploys a secondary payload, collects output, compresses it into an archive (love.tar.gz), and exfiltrates it via HTTP POST requests to an attacker-controlled domain using a custom header. The second stage performs extensive host reconnaissance and credential harvesting, targeting SSH keys, cloud credentials (including AWS IMDSv2 tokens), Kubernetes secrets, environment files, API keys, and more. It also includes logic to query AWS services (e.g., Secrets Manager and SSM), indicating a focus on cloud-hosted environments.