TeamPCP Compromises Popular Python Package, Telnyx, in Ongoing Supply Chain Attack
In a significant breach of cybersecurity, TeamPCP, a notorious threat actor, has successfully compromised the widely used Python package, Telnyx. This incident marks another chapter in a series of supply chain attacks that have recently plagued the software development landscape, particularly targeting popular libraries to facilitate data theft.
On March 27, 2026, TeamPCP published two malicious versions of the Telnyx package—versions 4.87.1 and 4.87.2—on the Python Package Index (PyPI). These versions were designed specifically to harvest sensitive user data, cleverly concealing their malicious functions within a seemingly innocuous .WAV audio file. Security experts have urged users to downgrade immediately to version 4.87.0, as the compromised versions have since been quarantined by the PyPI team.
Reports from various cybersecurity firms, including Aikido, Endor Labs, Ossprey Security, SafeDep, and Socket, indicate that the malicious code was strategically injected into the “telnyx/_client.py” file. As soon as this compromised package is imported into a Python application, the malware activates. The attack is not limited to a specific operating system and targets Windows, Linux, and macOS alike.
In analyzing the attack methodology, Socket highlighted a sophisticated three-stage runtime attack chain used in Linux and macOS environments. This involves the delivery of the malicious payload through audio steganography, the in-memory execution of a data harvester, and encrypted exfiltration. Importantly, this entire chain operates within a self-destructing temporary directory, leaving minimal forensic artifacts behind, which complicates detection and response efforts.
For Windows systems, the sequence of events is even more alarming. The malware downloads an audio file named “hangup.wav” from a command-and-control (C2) server. It extracts an executable from this audio file and places it in the Windows Startup folder as “msbuild.exe,” ensuring the malware persists even after system reboots. This clever strategy allows it to automatically run every time a user logs into their computer, thus maintaining long-term access for the threat actor.
On the flip side, when the compromised host is running Linux or macOS, the malware fetches a different audio file called “ringtone.wav.” This file is used to extract a third-stage collector script that harvests a diverse array of sensitive information. The stolen data is then exfiltrated in a compressed format through an HTTP POST request to the server at “83.142.209[.]203:8080.”
Commenting on this novel technique, Ossprey Security pointed out the strategic choice of utilizing audio steganography for the final payload delivery. Rather than resorting to more conventional methods like hosting a blatant executable file on the C2 server—an approach easily flagged by network inspection tools—the attackers chose to embed their malicious payload within a benign-looking audio file.
The precise mechanism by which TeamPCP acquired the Telnyx package’s authentication token remains unclear, but researchers suggest it may stem from an earlier credential harvesting operation. Endor Labs’ researchers, Kiran Raj and Rachana Misal, speculated that the compromise of the litellm package could be the most likely vector. During this previous attack, TeamPCP’s harvester swept through environment variables, .env files, and shell histories across systems that imported litellm. Thus, if any developer or continuous integration/continuous deployment (CI/CD) pipeline linked to both packages had a valid Telnyx token accessible, the attackers would have likely commandeered that token without difficulty.
Reflecting on the attack’s uniqueness, it was noted that Linux and macOS do not have a persistent mechanism like their Windows counterpart. Instead, they operate in a "smash-and-grab" manner, focusing solely on rapid data harvesting and immediate exfiltration, leaving little trace of their activities once complete. Socket reiterated the strategic design differentiation, wherein Windows sees long-term persistence through a binary in the startup folder, while Linux and macOS experience a transient but swift data theft operation.
This incident follows closely on the heels of TeamPCP’s dissemination of trojan versions of the litellm package designed for harvesting cloud credentials, CI/CD secrets, and other sensitive keys. The broader campaign reflects an alarming trend of outright weaponization of supply chain vulnerabilities, wherein attackers leverage trusted software libraries with extensive user bases to distribute malware more effectively.
This intentional focus on tools that hold elevated access within software development pipelines underscores a grim reality in the cybersecurity landscape. As companies increasingly rely on third-party libraries and tools—such as Trivy, an open-source container scanner, and KICS, an infrastructure scanning tool—threat actors recognize these as prime targets for maximizing the impact of their attacks.
To mitigate the risks posed by this recent compromise, experts recommend several immediate actions for developers and organizations. These include conducting an audit of Python environments and requirements.txt files to identify any instances of the compromised Telnyx versions. They urge the replacement of any found instances with the untainted version, assuming compromise of secrets and undertaking a rotation of all credentials. Users are also advised to search for files labeled “msbuild.exe” in their Windows Startup folder and to block the malicious C2 and exfiltration domain.
In conclusion, the supply chain incident involving Telnyx embodies a disturbing evolution in cyber threats, where ransomware gangs and other malicious groups are increasingly orchestrating sophisticated attacks targeting open-source infrastructures. The implications are profound, presenting a pressing need for organizations to scrutinize and secure their CI/CD environments, especially those employing third-party tools that may inadvertently serve as vectors for future attacks.