A significant security incident has emerged involving the Telnyx Python SDK, a widely used package available on PyPI, the primary repository for Python developers. On March 27, 2026, a malicious actor identified as TeamPCP uploaded two compromised versions of this software, potentially affecting countless users and systems.
Details of the Security Breach
The altered versions, 4.87.1 and 4.87.2, were accessible for approximately four hours before PyPI intervened and quarantined them. During this brief period, any system installing these versions could have been compromised without any visible signs of intrusion.
Telnyx’s package is not obscure; it records around 750,000 downloads monthly. Consequently, the scope of this attack could extend far beyond direct users, affecting any project or service reliant on it. The attackers targeted a single file within the package, leaving the rest unchanged, thus making the breach more difficult to detect.
Mechanics of the Attack
The attack was part of a larger supply chain campaign by TeamPCP, linked to the notorious TeamTNT group. This campaign also targeted several other platforms and packages within a short timeframe, showcasing increasing sophistication with each attack.
The compromised package followed a three-stage attack process. Initially, it triggered a platform-specific loader, which then downloaded a hidden payload from a remote server, cleverly disguised within a WAV audio file. Finally, the payload harvested sensitive credentials, encrypting and sending them to an attacker-controlled server.
Mitigation and Response Measures
The infection mechanism relied on modifications to a file called _client.py, which automatically executed upon importing the library. To conceal their actions, attackers encoded sensitive data using base64, making detection more difficult.
Organizations that installed the affected versions should consider them as breached and initiate immediate incident response. This includes rotating all accessible credentials and manually removing persistent threats from affected systems.
Preventative measures are crucial. Developers should pin dependencies to specific versions, utilize lockfiles, enable two-factor authentication on PyPI accounts, and avoid storing secrets in unprotected files. Additionally, blocking specific IP addresses at the firewall level is recommended to prevent further intrusions.
Stay informed with our latest updates on cybersecurity threats by following us on Google News, LinkedIn, and X, and consider setting CSN as a preferred source on Google.
