AI投毒情报预警 | Xinference国产推理框架遭受供应链窃密后门投毒

news2026/4/27 0:44:08

风险概述北京时间4月22日16点悬镜AI安全情报中心在Pypi官方仓库中监测到国产热门开源AI模型推理框架Xinference短时间内连续发布2.6.0、2.6.1及2.6.2三个版本更新并且在这三个新版本框架源码中都检出混淆代码及高风险恶意行为。在混淆恶意代码中发现 “hacked by teampcp” 相关标记目前猜测项目维护者 Pypi token 泄露导致Pypi发布权限疑似被 TeamPCP 组织接管而引发又一起针对AI数字供应链投毒事件。TeamPCP组织上个月已针对 PyPI 的 litellm、telnyx以及NPM、GitHub 等多个主流开源生态系统实施过类似供应链攻击。Xinference 框架主页投毒版本2.6.2、2.6.1及2.6.0Xinference全称 Xorbits Inference 是一个国产开源、Python开发的通用大模型分布式推理/服务框架用于一键部署、管理、调用开源AI模型提供完整 Python SDK、命令行、Web UI、OpenAI 兼容 API。截至目前Xinference开源推理框架在Pypi官方仓库总下载量超过68万次。Xinference 官网此次针对xinference框架的代码投毒发生在Pypi仓库xinference github 项目https://github.com/xinqiyang/xinference并未受到影响攻击者主要通过xinference/__init__.py模块文件中植入base64编码的恶意代码。开发者一旦安装加载受影响的xinference库import xinference或启动xinference cli即静默触发恶意代码。第一阶段payload创建临时目录注入第二阶段内嵌编码的收集器通过子进程在后台执行并隐藏输出第二阶段收集器对目标主机进行全面信息侦察窃取SSH密钥、Git凭证、AWS密钥、Kubernetes配置、Docker认证信息、包管理器令牌、环境变量文件.env、数据库配置、VPN凭据、TLS私钥、加密货币钱包等敏感数据并外传至攻击者控制的C2服务器。针对此次突发投毒事件悬镜安全已于第一时间将本次AI供应链投毒相关技术细节向XSBOM情报订阅用户推送预警。组件名投毒版本发布时间xinference2.6.2; 2.6.1; 2.6.02026.04.22供应链投毒分析恶意代码植入以xinference2.6.0版本为例攻击者在模块入口文件xinference/__init__.py尾部植入多阶段编码的恶意代码如下图所示投毒文件代码比对恶意代码经过一轮base64解码后直接传入 subprocess.Popen 执行如下图所示第一阶段恶意代码第一阶段恶意代码解码后的如下所示同样内嵌了base64编码的第二阶段恶意代码。第二阶段恶意代码第二阶段恶意代码具体功能拆解如下创建临时目录与文件tempfile.TemporaryDirectory() → collected 文件通过 subprocess.run() 启动 Python 子进程执行第二阶段恶意python代码标准输出重定向到 collected文件若采集结果文件存在且非空将其打包为 love.tar.gz使用curl 静默POST 请求将压缩包以二进制形式上传到攻击者服务器敏感信息采集第二阶段内嵌的恶意代码主要通过walk/emit/run等核心函数系统性采集以下几类敏感数据身份认证凭证SSH 密钥id_rsa/authorized_keys、云服务凭证AWS/Google Cloud/Azure/K8s、容器凭证Docker/kaniko、数据库密码.my.cnf/.pgpass、版本控制凭证.git-credentials等环境变量配置各类.env文件、/etc/environment、云服务环境变量AWS_/KUBE_/GOOGLE_等系统与网络信息主机名、IP、用户信息、/etc/passwd、/etc/shadow系统账号密码、命令历史.bash_history、日志文件auth.log/secure加密货币相关比特币 / 以太坊等加密货币钱包配置、密钥文件云服务信息采集通过 AWS IMDS 元数据服务获取临时凭证调用 AWS SecretsManager/SSM 接口读取更多云内敏感数据。各类身份凭证数据收集加密货币数据收集最终收集的敏感数据会被打包为tar文件: love.tar.gz 并调用curl系统命令将压缩包POST 到攻击者服务器https://whereisitat.lucyatemysuperbox.space完成数据外传。采集数据外传IoC数据此次针对 Xinference 供应链投毒涉及的恶意IoC数据如下表所示排查方式使用pip show xinference查询是否已经安装存在投毒版本2.6.2;2.6.1;2.6.0的组件如果已安装请立即使用pip install xinference2.5.0 -y回滚到安全版本监控恶意域名 whereisitat.lucyatemysuperbox.space 的出站流量或 DNS 查询将恶意域名及IP加入网络黑名单审核系统日志中是否出现 169.254.169.254、169.254.170.2 请求IMDS/容器凭据排查 curl 命令的异常执行记录尤其是带有 X-QT-SR: 14 请求头根据本报告提供的IoC对项目文件进行哈希匹配若命中则立即清除相关恶意文件并更换所有暴露的私钥、API Token、数据库凭据包括 Git、SSH、Kubernetes等并对云端 Secrets 轮换使用悬镜开源工具 OpenSCA-cli将受影响的组件包按如下示例保存为db.json文件并在opensca配置文件中指定db.json文件路径后直接执行扫描命令opensca-cli -path ${project_path}即可快速获知您的项目是否受到投毒包影响。span stylecolor:rgba(0, 0, 0, 0.9)span stylebackground-color:#ffffffcode[ /codecode { /codecode product: span stylecolor:#dd1144xinference/span, /codecode version: span stylecolor:#dd1144[2.6.2, 2.6.1, 2.6.0]/span, /codecode language: span stylecolor:#dd1144Python/span, /codecode id: span stylecolor:#dd1144XMIRROR-MAL45-E3B30934/span, /codecode description: span stylecolor:#dd1144热门开源AI模型推理框架xinference遭受供应链投毒开展窃密后门攻击/span, /codecode release_date: span stylecolor:#dd11442026-04-22/span /codecode }/codecode]/code/span/span7. 快速排查脚本span stylecolor:rgba(0, 0, 0, 0.9)span stylebackground-color:#ffffffcodespan stylecolor:#afafaf#!/bin/bash/span/codecodespan stylecolor:#afafafem# 功能检查是否安装 xinference 2.6.0 / 2.6.1 / 2.6.2 恶意版本/em/span/codecodespan stylecolor:#afafafem# 用法./check_xinference_ioc.sh/em/span/code codespan stylecolor:#afafafem# 定义需要拦截的版本/em/span/codecodeMALICIOUS_VERSIONS(span stylecolor:#dd11442.6.0/span span stylecolor:#dd11442.6.1/span span stylecolor:#dd11442.6.2/span)/code codespan stylecolor:#afafafem# 查询已安装的 xinference 版本兼容 pip / pip3/em/span/codecodeINSTALLED$(pip3 show xinference 2/dev/null | grep ^Version: | awk span stylecolor:#dd1144{print $2}/span)/codecodespan stylecolor:#ca7d37if/span [ -z span stylecolor:#dd1144/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$INSTALLED/span/spanspan stylecolor:#dd1144/span ]; span stylecolor:#ca7d37then/span/codecode INSTALLED$(pip show xinference 2/dev/null | grep ^Version: | awk span stylecolor:#dd1144{print $2}/span)/codecodespan stylecolor:#ca7d37fi/span/code codespan stylecolor:#afafafem# 未安装则直接退出/em/span/codecodespan stylecolor:#ca7d37if/span [ -z span stylecolor:#dd1144/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$INSTALLED/span/spanspan stylecolor:#dd1144/span ]; span stylecolor:#ca7d37then/span/codecode span stylecolor:#ca7d37echo/span span stylecolor:#dd1144xinference 未安装/span/codecode span stylecolor:#ca7d37exit/span 0/codecodespan stylecolor:#ca7d37fi/span/code codespan stylecolor:#afafafem# 匹配恶意版本/em/span/codecodespan stylecolor:#ca7d37for/span v span stylecolor:#ca7d37in/span span stylecolor:#dd1144/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5${MALICIOUS_VERSIONS[]}/span/spanspan stylecolor:#dd1144/span; span stylecolor:#ca7d37do/span/codecode span stylecolor:#ca7d37if/span [ span stylecolor:#dd1144/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$INSTALLED/span/spanspan stylecolor:#dd1144/span span stylecolor:#dd1144/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$v/span/spanspan stylecolor:#dd1144/span ]; span stylecolor:#ca7d37then/span/codecode span stylecolor:#ca7d37echo/span -e span stylecolor:#dd1144\033[31mCompromised!\033[0m/span/codecode span stylecolor:#ca7d37echo/span span stylecolor:#dd1144已安装恶意版本 xinference /spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$INSTALLED/span/spanspan stylecolor:#dd1144/span/codecode span stylecolor:#ca7d37exit/span 1/codecode span stylecolor:#ca7d37fi/span/codecodespan stylecolor:#ca7d37done/span/code codespan stylecolor:#afafafem# 安全版本/em/span/codecodespan stylecolor:#ca7d37echo/span span stylecolor:#dd1144xinference 版本安全/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$INSTALLED/span/spanspan stylecolor:#dd1144/span/code /span/spanspan stylecolor:rgba(0, 0, 0, 0.9)span stylebackground-color:#ffffffcodespan stylecolor:#afafaf#!/bin/bash/span/codecodespan stylecolor:#afafafem# 功能递归扫描指定目录计算文件MD5匹配恶意IOC命中则告警/em/span/codecodespan stylecolor:#afafafem# 用法sudo ./check_xinference_md5_ioc.sh 目标扫描目录 (如 /tmp /root /home)/em/span/code codespan stylecolor:#afafafem# 定义恶意MD5 IOC列表/em/span/codecodeMALICIOUS_MD5(/codecodespan stylecolor:#dd1144971670c10eff28339a085ca50a600e35/span/codecodespan stylecolor:#dd11448673c50ccff8e2acc8d3c31463c36490/span/codecodespan stylecolor:#dd11449b3257e45b27a6bbe4e240e41a3a306f/span/codecodespan stylecolor:#dd114467de6bf436257442e95efa9fab159e10/span/codecodespan stylecolor:#dd1144484067fd6232f7cdd7b664b33857fc2c/span/codecodespan stylecolor:#dd1144fe407adc7d14ab0ba6f415914fbf7959/span/codecodespan stylecolor:#dd11443ee893ae46530b92e0d26435fb979d82/span/codecodespan stylecolor:#dd1144e291734d46c313a23d676681499f8846/span/codecodespan stylecolor:#dd1144c6ce4e25f7fe3e3bb1eea2e9052483bf/span/codecode)/code codespan stylecolor:#afafafem# 检查是否传入目录参数/em/span/codecodespan stylecolor:#ca7d37if/span [ span stylecolor:#0e9ce5$#/span -ne 1 ]; span stylecolor:#ca7d37then/span/codecode span stylecolor:#ca7d37echo/span span stylecolor:#dd1144用法/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$0/span/spanspan stylecolor:#dd1144 需要扫描的目录/span/codecode span stylecolor:#ca7d37echo/span span stylecolor:#dd1144示例/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$0/span/spanspan stylecolor:#dd1144 /tmp/span/codecode span stylecolor:#ca7d37exit/span 1/codecodespan stylecolor:#ca7d37fi/span/code codeSCAN_DIRspan stylecolor:#dd1144/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$1/span/spanspan stylecolor:#dd1144/span/code codespan stylecolor:#afafafem# 检查目录是否存在/em/span/codecodespan stylecolor:#ca7d37if/span [ ! -d span stylecolor:#dd1144/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$SCAN_DIR/span/spanspan stylecolor:#dd1144/span ]; span stylecolor:#ca7d37then/span/codecode span stylecolor:#ca7d37echo/span span stylecolor:#dd1144错误目录 /spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$SCAN_DIR/span/spanspan stylecolor:#dd1144 不存在/span/codecode span stylecolor:#ca7d37exit/span 1/codecodespan stylecolor:#ca7d37fi/span/code codespan stylecolor:#ca7d37echo/span span stylecolor:#dd1144/span/codecodespan stylecolor:#ca7d37echo/span span stylecolor:#dd1144 开始扫描目录/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$SCAN_DIR/span/spanspan stylecolor:#dd1144/span/codecodespan stylecolor:#ca7d37echo/span span stylecolor:#dd1144 递归扫描所有文件匹配恶意MD5.../span/codecodespan stylecolor:#ca7d37echo/span span stylecolor:#dd1144/span/codecodespan stylecolor:#ca7d37echo/span/code codespan stylecolor:#afafafem# 递归遍历文件计算MD5 匹配IOC/em/span/codecodefind span stylecolor:#dd1144/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$SCAN_DIR/span/spanspan stylecolor:#dd1144/span -span stylecolor:#ca7d37type/span f | span stylecolor:#ca7d37while/span span stylecolor:#ca7d37read/span -r file; span stylecolor:#ca7d37do/span/codecode span stylecolor:#afafafem# 计算文件MD5/em/span/codecode current_md5$(span stylecolor:#ca7d37md5sum/span span stylecolor:#dd1144/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$file/span/spanspan stylecolor:#dd1144/span 2/dev/null | awk span stylecolor:#dd1144{print $1}/span)/code code span stylecolor:#afafafem# 跳过无法读取的文件/em/span/codecode span stylecolor:#ca7d37if/span [ -z span stylecolor:#dd1144/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$current_md5/span/spanspan stylecolor:#dd1144/span ]; span stylecolor:#ca7d37then/span/codecode span stylecolor:#ca7d37continue/span/codecode span stylecolor:#ca7d37fi/span/code code span stylecolor:#afafafem# 匹配恶意MD5/em/span/codecode span stylecolor:#ca7d37for/span malicious span stylecolor:#ca7d37in/span span stylecolor:#dd1144/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5${MALICIOUS_MD5[]}/span/spanspan stylecolor:#dd1144/span; span stylecolor:#ca7d37do/span/codecode span stylecolor:#ca7d37if/span [ span stylecolor:#dd1144/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$current_md5/span/spanspan stylecolor:#dd1144/span span stylecolor:#dd1144/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$malicious/span/spanspan stylecolor:#dd1144/span ]; span stylecolor:#ca7d37then/span/codecode span stylecolor:#ca7d37echo/span -e span stylecolor:#dd1144\033[31m[!] Compromised! 发现恶意文件\033[0m/span/codecode span stylecolor:#ca7d37echo/span span stylecolor:#dd1144文件路径/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$file/span/spanspan stylecolor:#dd1144/span/codecode span stylecolor:#ca7d37echo/span span stylecolor:#dd1144匹配MD5/spanspan stylecolor:#dd1144span stylecolor:#0e9ce5$current_md5/span/spanspan stylecolor:#dd1144/span/codecode span stylecolor:#ca7d37echo/span span stylecolor:#dd1144---------------------------------------------/span/codecode span stylecolor:#ca7d37fi/span/codecode span stylecolor:#ca7d37done/span/codecodespan stylecolor:#ca7d37done/span/code codespan stylecolor:#ca7d37echo/span -e span stylecolor:#dd1144\n扫描完成/span/code /span/span近期悬镜安全正式发布的新一代AI原生安全治理平台“问境AIST”已将 AI 供应链安全情报纳入整体治理框架当外部出现针对特定 AI 框架、模型组件或数据链路的 0Day 攻击与投毒事件时AIST平台能够根据AI-BOM快速识别受影响范围定位关联资产与代码链路并为修复和处置提供更具针对性的依据帮助企业构建起小时级的风险响应闭环。

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.coloradmin.cn/o/2547479.html

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈，一经查实，立即删除！