Malware - TeamPCP Compromises Telnyx Versions on PyPI
Basically, hackers hid malware in a popular Python package to steal user data.
TeamPCP has compromised the telnyx Python package on PyPI, pushing malicious versions to steal sensitive data. Developers must downgrade to a safe version immediately to protect their systems.
What Happened
On March 27, 2026, TeamPCP compromised the telnyx Python package by uploading two malicious versions, 4.87.1 and 4.87.2, to the Python Package Index (PyPI). These versions were designed to steal sensitive data from users by concealing their malware within a .WAV file. This attack follows a previous supply chain incident involving other tools like Trivy and litellm.
The malicious code was injected into the file telnyx/_client.py, which executes when the package is imported into Python applications. This allows the malware to target users across Windows, Linux, and macOS systems, significantly increasing its potential impact.
Who's Being Targeted
The attack primarily targets developers who use the telnyx package in their applications. Since telnyx is often integrated into various software projects, the risk of widespread exposure is high. The malicious versions can harvest credentials and other sensitive information from any system that imports the compromised package.
Reports from cybersecurity firms like Aikido, Endor Labs, and Socket indicate that the malware employs sophisticated techniques to evade detection, including audio steganography. This method allows the malware to hide its payload within audio files, making it difficult for traditional security measures to flag the malicious activity.
Signs of Infection
Users may not notice any immediate signs of infection. However, if you have installed telnyx versions 4.87.1 or 4.87.2, you should be vigilant. Signs of infection could include the presence of a file named msbuild.exe in the Windows Startup folder, which indicates that the malware is set to run every time the system starts. On Linux and macOS, look for unusual activity related to audio files or unexpected network requests.
The malware is designed to exfiltrate sensitive data, including environment variables and configuration files, which can lead to further compromises if not addressed quickly.
How to Protect Yourself
To protect against this threat, developers should take immediate action. First, audit your Python environments and check for any instances of telnyx version 4.87.1 or 4.87.2. If found, downgrade to the clean version 4.87.0 immediately. Additionally, rotate all secrets and credentials that may have been exposed.
It’s also crucial to block the command-and-control (C2) domain associated with the malware, 83.142.209[.]203, to prevent further data exfiltration. Keeping your development environments secure and monitoring for unusual activities will help mitigate the risks posed by this sophisticated attack.
The Hacker News