TeamPCP Uses Fake Ringtone File in Tainted Telnyx SDK to Steal Credentials

Summary

Threat actor TeamPCP compromised Telnyx Python SDK versions 4.87.1 and 4.87.2 by embedding malicious code disguised as a ringtone file that downloaded and executed a credential-stealing payload. The attack targeted developers' SSH keys, cryptocurrency wallets, and cloud credentials (Google Cloud, Azure) before Telnyx rapidly mitigated the breach on March 27, 2026. Over 700,000 monthly SDK downloads meant the potential blast radius was significant, though Telnyx confirmed no core platform or customer data was compromised.

Full text

Security Cyber AttacksTeamPCP Uses Fake Ringtone File in Tainted Telnyx SDK to Steal Credentials Telnyx issues an urgent alert after hackers TeamPCP uploaded malicious versions (4.87.1 & 4.87.2) of its Python SDK to steal cloud and crypto credentials. byDeeba AhmedMarch 30, 20262 minute read TeamPCP hackers planted malicious code in tainted Telnyx Python SDK versions using a fake ringtone file to steal credentials, crypto wallets, and keys. A relatively new group of hackers known as TeamPCP has struck again, this time targeting the popular communication platform Telnyx. This latest move follows a string of interconnected cyberattacks reported by Wiz Research and Checkmarx just last week, including a breach of the Trivy security tool on 19 March 2026. As Hackread.com recently reported regarding the Trivy incident, this group is becoming notorious for supply chain attacks, a method where hackers sneak malicious code into trusted software to infect users automatically. According to researchers at OX Security, who shared their findings with Hackread.com, the group uploaded two ‘tainted versions’ of the Telnyx Python library (4.87.1 and 4.87.2) on the morning of 27 March 2026. These libraries are essential building blocks for apps, and with over 700,000 monthly downloads, the potential for damage is high. The Fake Audio Trick As per OX Security’s investigation, the hackers used a clever disguise of hiding their code inside a file called _client.py, which was programmed to download a harmless-looking file named ringtone.wav from a remote server. For your information, this audio file was actually a scrambled program. Once it landed on a computer, it began hunting for sensitive data, including SSH keys (digital master keys), cryptocurrency wallets like Bitcoin and Ethereum, and credentials for Google Cloud and Azure. This is exactly like the attack on LiteLLM we reported earlier this week. Attack chain (Source: OX Security) Is Your Data Safe? Thankfully, Telnyx reacted quickly. Writing on X (Twitter), the company confirmed they have “solved the root cause” of the breach. Importantly, they confirmed that the Telnyx platform, voice services, messaging infrastructure, and AI inference were not affected. The company clarified that the SDK is a client library that has “no privileged access to Telnyx infrastructure,” and as a result, no customer data was accessed. However, while their core phone networks and customer databases remained untouched, the risk is very real for developers. As researchers noted, the breach only affected those who ran the “pip install telnyx” command during the brief window the malicious files were live. So, if you updated your software on 27 March, check your version immediately. If you are running 4.87.1 or 4.87.2, you are at risk. The advice from experts is simple- revert to version 4.87.0 and, as researchers urged, “rotate all keys and secrets immediately” to ensure hackers cannot use any stolen login details. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityMalwareSupply ChainTeamPCPTelnyxTrivy Leave a Reply Cancel reply View Comments (0) Related Posts Technology Google News Malware Security Google marks itself as potentially dangerous website to visit Has Google Admitted that it is a source of Malware? — Yes indeed! ? Google.com has become a… byAgan Uzunovic Read More Security Artificial Intelligence Leaks Firebase Misconfiguration Exposes 300M Messages From Chat & Ask AI Users A technical mistake in the popular Chat & Ask AI app has left 300 million private messages from 25 million users exposed online. Discover what happened and how you can protect your personal data when using AI chatbots. byDeeba Ahmed Read More Security Malware Scams and Fraud Stream-Jacking: Malicious YouTube Livestreams Aid Malware, Crypto Scams Bitdefender reports a surge in Stream-Jacking attacks on popular YouTube channels, distributing crypto scams and information stealers such as Redline. byDeeba Ahmed Read More Security Phishing Scam New Google AppSheet Phishing Scam Deliver Fake Trademark Notices A phishing scam is exploiting Google’s trusted AppSheet platform to bypass email filters. Learn how hackers are using… byDeeba Ahmed

Indicators of Compromise

• malware — TeamPCP