Malware - Hackers Backdoor Telnyx Python SDK on PyPI
.webp&w=3840&q=75)
Basically, hackers added malicious code to a popular programming tool to steal passwords.
Hackers have compromised the Telnyx Python SDK on PyPI, targeting developers across major operating systems. This could lead to stolen credentials and widespread system compromise. Users are urged to take immediate action to secure their systems.
What Happened
A group of hackers known as TeamPCP has successfully backdoored the Telnyx Python SDK on PyPI, a widely used cloud communications library. This incident occurred on March 27, 2026, when two malicious versions of the package, 4.87.1 and 4.87.2, were uploaded without any corresponding commits in the official GitHub repository. The attack is notable for its scale, as it impacts developers using Windows, macOS, and Linux systems, making it one of the broadest supply chain attacks this year.
This attack followed closely on the heels of another by TeamPCP, which compromised the LiteLLM AI proxy package just days earlier. The rapid succession of these attacks indicates a well-coordinated effort to infiltrate trusted open-source libraries, particularly those related to AI and developer tools. The malicious code was cleverly hidden, allowing it to slip into legitimate packages without immediate detection.
Who's Being Targeted
The primary targets of this backdoor attack are developers and organizations that utilize the Telnyx Python SDK. With over 700,000 downloads in February alone, the potential for widespread impact is significant. Any developer who installed the affected versions should consider their systems compromised. This includes not only individual developers but also larger organizations that integrate this SDK into their applications.
The impact extends beyond just credential theft; it poses a serious risk to the integrity of software projects that rely on the SDK. Developers must now be vigilant about the security of their development environments and the libraries they use.
Signs of Infection
The malicious payload was designed to activate simply by importing the Telnyx SDK in a Python project, making it particularly insidious. It was engineered to steal credentials and send them to an attacker-controlled server using sophisticated encryption methods, including AES-256-CBC and RSA-4096. Windows users face additional risks due to a boot persistence mechanism, which ensures that the malware remains active after system restarts.
Indicators of compromise include unexpected WAV file downloads from non-media IP addresses and any instances of msbuild.exe appearing in user Startup directories. Developers should also be on the lookout for unusual outbound HTTP requests that may indicate communication with the attacker's command-and-control server.
How to Protect Yourself
In light of this attack, it is crucial for developers and organizations to take immediate action. Anyone who installed the compromised versions should downgrade to the last confirmed clean release, which is 4.87.0, and treat their systems as potentially compromised. Credential rotation is highly recommended for any accounts accessed from affected machines.
Additionally, organizations should implement strict monitoring of their CI/CD pipelines for unusual activity, such as unexpected audio file downloads. Pinning all PyPI dependencies by hash can help prevent similar incidents in the future. By staying vigilant and proactive, developers can mitigate the risks posed by such sophisticated attacks.