.webp?ssl=1 "Telnyx Python SDK Backdoored by Hackers to Steal Credentials")
A group of cybercriminals known as TeamPCP has infiltrated the Telnyx Python SDK on PyPI, a widely used cloud communications library, resulting in over 700,000 downloads in February 2026. This infiltration is part of a larger scheme aimed at stealing credentials from systems running Windows, macOS, and Linux.
Malicious Package Deployment
On March 27, 2026, TeamPCP released two harmful package versions, 4.87.1 and 4.87.2, on the Python Package Index (PyPI), without corresponding commits to the official GitHub repository. This breach reflects one of the most extensive supply chain attacks on open-source developers this year, underscoring the evolving threats in software development environments.
This attack closely followed the compromise of the LiteLLM AI proxy package, indicating a rapid escalation in TeamPCP’s activities. Their focus appears to be on trusted open-source libraries that support AI and developer tools, showcasing their ability to embed malicious code stealthily into legitimate package releases without immediate detection.
Analysis and Impact
Security experts at Trend Micro brought attention to the Telnyx attack, noting that the compromised versions were removed from PyPI approximately 6.5 hours after being uploaded. The attackers embedded harmful code within the telnyx/_client.py file, triggering upon the basic action of importing the module, thus compromising developer systems with minimal interaction required.
The attack’s ramifications are severe, urging any user of the affected package versions to assume their systems are compromised. The embedded payload was engineered to siphon credentials to an attacker-controlled server, employing robust encryption methods such as AES-256-CBC and RSA-4096. Additionally, Windows users faced further risk with a mechanism ensuring the malware’s persistence across reboots.
Technical Innovations in the Attack
TeamPCP’s attack introduced a novel approach by embedding the credential-stealing payload within WAV audio files. Unlike previous attacks where the payload was directly encoded within the source as Base64, the Telnyx variant fetched the malware from a command-and-control server, cunningly disguising it within a legitimate audio file format.
This method effectively bypassed traditional static code analysis, as the actual malicious logic did not reside in the visible code base. The payload retrieval process involved reading raw audio data, decoding it via Base64, and finally executing it after decrypting with a rotating XOR key. This intricacy in concealment posed significant challenges for defenders attempting to conduct a straightforward visual inspection of the code.
For Windows systems, the attackers installed a deceptive executable named msbuild.exe in the Startup directory to ensure persistence. Organizations are advised to monitor for unusual WAV file downloads from non-media IP addresses over port 8080 and unexpected outbound HTTP requests to mitigate risks.
Users are strongly encouraged to revert to the safe version 4.87.0 of the Telnyx SDK and rotate credentials for accounts potentially exposed. Continuous monitoring of CI/CD pipelines for unexpected file downloads or connections is also recommended to safeguard against future threats.
