TeamPCP Compromises Telnyx Python Package on PyPI, Conceals Credential Stealer in WAV Files
In a significant cybersecurity breach, the threat actor known as TeamPCP has compromised the Telnyx Python package by introducing malicious versions designed to harvest sensitive data. This incident follows a series of supply chain attacks targeting other prominent tools, including Trivy, KICS, and litellm. The malicious versions, 4.87.1 and 4.87.2, were published on March 27, 2026, on the Python Package Index (PyPI) and concealed their credential-stealing capabilities within a .WAV file. Users are urged to downgrade to version 4.87.0 immediately as the compromised project is currently quarantined.
Technical Overview of the Attack
Reports from various cybersecurity firms, including Aikido, Endor Labs, and Ossprey Security, indicate that the malicious code was injected into the “telnyx/_client.py” file. This code is triggered upon importing the package into a Python application, affecting systems running Windows, Linux, and macOS. The attack employs a sophisticated three-stage runtime chain on Linux and macOS, utilizing audio steganography for delivery, in-memory execution of a data harvester, and encrypted data exfiltration.
According to Socket, a cybersecurity firm analyzing the attack, “The entire chain is designed to operate within a self-destructing temporary directory and leave near-zero forensic artifacts on the host.” This technique minimizes the chances of detection by traditional security measures.
On Windows systems, the malware downloads a file named “hangup.wav” from a command-and-control (C2) server. This file contains an executable that is extracted and placed in the Startup folder as “msbuild.exe,” allowing it to persist across system reboots. In contrast, on Linux or macOS, a different .WAV file, “ringtone.wav,” is fetched to extract a third-stage collector script. This script is engineered to capture a wide array of sensitive data and exfiltrate it as “tpcp.tar.gz” via an HTTP POST request to a specified IP address.
Implications of Audio Steganography
The use of audio steganography in this attack is particularly noteworthy. As Ossprey Security points out, “Rather than hosting a raw executable or a base64 blob on the C2, both of which are trivially flagged by network inspection and EDR, the attacker wraps the payload inside a .WAV file.” This innovative method complicates detection efforts and highlights the evolving tactics employed by cybercriminals.
The origins of the compromised PyPI token used by TeamPCP remain unclear, but it is suspected that it was obtained through a previous credential harvesting operation. Researchers from Endor Labs suggest that the most likely vector was the earlier compromise of the litellm package, which allowed TeamPCP to sweep environment variables, .env files, and shell histories from any system that imported litellm.
Broader Context of Supply Chain Attacks
This incident is part of a larger trend in which threat actors are increasingly targeting trusted software packages to distribute malware. The strategic selection of tools with elevated access to automated pipelines—such as Trivy, KICS, and litellm—highlights a shift in tactics. Each of these tools inherently requires broad read access to system credentials, configurations, and environment variables, making them attractive targets for attackers.
Snyk emphasizes this point, stating, “The target selection across this campaign focuses on tools with elevated access to automated pipelines.” This approach allows attackers to maximize their impact by compromising software that is widely used within development environments.
Recommended Mitigation Strategies
To mitigate the risks associated with this breach, developers are advised to take immediate action:
- Audit Python environments and requirements.txt files for any instances of telnyx==4.87.1 or telnyx==4.87.2. If found, replace them with the clean version.
- Assume that any system that imported the compromised package may be compromised and rotate all secrets accordingly.
- Check for the presence of “msbuild.exe” in the Windows Startup folder.
- Block the C2 and exfiltration domain identified as “83.142.209[.]203.”
Conclusion
The compromise of the Telnyx Python package underscores the growing sophistication of supply chain attacks and the need for heightened vigilance within the cybersecurity community. As threat actors like TeamPCP continue to evolve their tactics, organizations must remain proactive in securing their development environments and monitoring for potential vulnerabilities.
For further details on this incident, refer to the reporting from The Hacker News here.
For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East: Middle East
