In a sophisticated cyberattack, TeamPCP has targeted the Telnyx package available on the Python Package Index (PyPI), introducing two compromised versions aimed at stealing confidential information. This breach follows their previous attack on popular tools like Trivy and KICS. The malicious versions, 4.87.1 and 4.87.2, surfaced on March 27, 2026, employing a unique method of embedding credential-stealing malware within a .WAV file. Users are urged to revert to version 4.87.0 promptly as the compromised versions are now quarantined.
Details of the Telnyx Compromise
Reports from multiple cybersecurity firms including Aikido, Endor Labs, and Socket, confirm that the malicious code resides in ‘telnyx/_client.py’. This code becomes active when the package is loaded into a Python application, targeting systems across Windows, Linux, and macOS platforms. The attack chain on Linux and macOS involves a three-step process that starts with delivery through audio steganography, followed by in-memory execution of the malware, and concludes with encrypted data exfiltration.
On Windows, the attack involves downloading a file named ‘hangup.wav’ from a command-and-control server, extracting an executable from it, and placing it in the Startup folder as ‘msbuild.exe’. This allows the malware to persist through system reboots. In contrast, the Linux and macOS systems receive a different .WAV file, ‘ringtone.wav’, which extracts a collector script to harvest sensitive data, subsequently transmitting it to a remote server.
Analysis of the Attack Techniques
This attack stands out due to its use of audio steganography, a technique that conceals the final payload within a .WAV file, thereby evading traditional detection mechanisms. The method avoids using raw executables or base64 blobs that are easily flagged by network and endpoint detection tools. The origin of the PyPI token used by TeamPCP remains unclear, though it may have been acquired during a prior compromise of the litellm package.
Endor Labs researchers suggest that TeamPCP likely harvested environment variables and shell histories from systems using litellm, potentially capturing the Telnyx PyPI token in the process. Notably, the attack lacks a persistence mechanism on Linux and macOS, opting instead for a rapid ‘smash-and-grab’ operation that deletes its traces post-execution.
Recommendations and Wider Implications
Developers are advised to conduct a thorough audit of their Python environments, specifically checking for the presence of Telnyx 4.87.1 or 4.87.2 in their requirements. If found, these versions should be replaced immediately with a secure alternative. It is also recommended to rotate all compromised credentials and block the identified command-and-control domains.
This breach is part of an expansive campaign by TeamPCP, leveraging collaborations with other cybercriminal groups to conduct extortion and ransomware attacks. The incident highlights the evolving threat landscape, where attackers are increasingly targeting the supply chain as a vector for initiating attacks. As such, organizations must scrutinize any tool that has broad access in CI/CD environments, as these can serve as potential entry points for future threats.
