Compromised Telnyx PyPI Package Distributes Credential-Stealing Malware

On March 27, 2026, the telnyx Python package on PyPI was compromised by TeamPCP, resulting in the distribution of malicious versions 4.87.1 and 4.87.2. The attacker, having gained unauthorized access to PyPI credentials, bypassed the legitimate GitHub release pipeline to upload these compromised packages directly. These versions contain malware designed to harvest sensitive credentials from infected systems and exfiltrate them to a command-and-control (C2) server. The malicious packages were available for approximately 6 hours before being quarantined by PyPI. Version 4.87.1 contained a typo preventing execution, making 4.87.2 the fully functional malicious version. This incident highlights the risk of supply chain attacks targeting open-source package repositories, potentially affecting any system that installed the telnyx package during the exposure window.

Attack Chain

1. The attacker gains unauthorized access to PyPI credentials for the telnyx package.
2. The attacker uploads malicious versions 4.87.1 and 4.87.2 of the telnyx package to PyPI, bypassing the legitimate GitHub repository.
3. When a user installs or upgrades to the malicious telnyx package, the injected malware within telnyx/_client.py executes upon importing the library (import telnyx).
4. On Linux/macOS systems, the malware spawns a detached subprocess to ensure persistence and downloads a payload hidden inside a WAV audio file (ringtone.wav) from the C2 server at http://83.142.209.203:8080/.
5. The downloaded payload harvests sensitive credentials, including SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker configurations, .env files, database credentials, and crypto wallets.
6. If Kubernetes access is detected, the malware deploys privileged pods to all nodes for lateral movement within the Kubernetes cluster.
7. The collected data is encrypted using AES-256-CBC and RSA-4096, then exfiltrated to the C2 server, identified by the header X-Filename: tpcp.tar.gz.
8. On Windows, a binary payload hidden in hangup.wav is downloaded from http://83.142.209.203:8080/, dropped as msbuild.exe in the Startup folder for persistence, and executed with a hidden window, polling the endpoint http://83.142.209.203:8080/raw.

Impact

The compromise of the telnyx PyPI package poses a significant risk to developers and organizations that use the library. Successful exploitation leads to the theft of sensitive credentials, potentially granting the attacker unauthorized access to critical infrastructure, cloud resources, and sensitive data. TeamPCP’s previous campaign against LiteLLM and the similarities in this attack suggest a pattern of targeting open-source projects to infiltrate developer environments and steal secrets. The impact includes potential data breaches, financial losses, and reputational damage. The exposure window was approximately 6 hours during which vulnerable versions were available.

Recommendation

• Immediately check for the presence of malicious telnyx package versions (4.87.1 or 4.87.2) in your environment using the provided commands and uninstall them (pip uninstall telnyx).
• Due to the credential-stealing nature of the malware, rotate all potentially exposed secrets, including SSH keys, cloud provider credentials (AWS, GCP, Azure), Kubernetes tokens, Docker registry credentials, database passwords, API keys in .env files, and Telnyx API keys.
• Check for persistence mechanisms used by the malware, specifically the audiomon service and associated files on Linux/macOS, and the msbuild.exe executable in the Startup folder on Windows, based on the file paths provided in the “Filesystem” section.
• Block the identified C2 IP address (83.142.209.203) and payload URLs (http://83.142.209.203:8080/ringtone.wav, http://83.142.209.203:8080/hangup.wav, http://83.142.209.203:8080/raw) at your network perimeter.
• Deploy the following Sigma rule to detect the creation of msbuild.exe in the Startup folder.
• Pin the telnyx package to the safe version 4.87.0 in your project dependencies to prevent future installations of compromised versions.