Telnyx Targeted in Growing TeamPCP Supply Chain Attack

Summary

TeamPCP's ongoing supply chain campaign has compromised the popular Telnyx Python SDK, uploading malicious versions 4.87.1 and 4.87.2 to PyPI. The rogue packages contain encoded payloads hidden in WAV files that drop executables or execute scripts to exfiltrate session keys across Windows, macOS, and Linux systems. This marks the latest in a weeks-long campaign affecting multiple open source ecosystems including Trivy, LiteLLM, Docker Hub, and Kubernetes, with potential blast radius exceeding 1,900 dependent packages.

Full text

The popular Telnyx Python SDK is the latest victim of TeamPCP’s weeks-long supply chain campaign targeting the broad open source software ecosystem. The campaign started on March 19 with Aqua Security’s open source vulnerability scanner Trivy and continued with infections across NPM, Docker Hub, Kubernetes, OpenVSX, and the LiteLLM PyPI package. On Friday, two malicious versions of Telnyx, namely 4.87.1 and 4.87.2, were uploaded to the PyPI registry, targeting Windows, macOS, and Linux systems. Telnyx is a cloud-based voice solution enabling traditional phone calls directly on respond.io. The Python library has over 670,000 monthly downloads. The rogue Telnyx PyPI packages contained a WAV file that would drop an executable in the startup folder on Windows systems or would execute a hardcoded Python script to decode a third-stage collector script to exfiltrate the machine’s session key on macOS and Linux systems. “The WAV file is a valid audio file. It passes MIME-type checks. But the audio frame data contains a base64-encoded payload. Decode the frames, take the first 8 bytes as the XOR key, XOR the rest, and you have your executable or Python script,” cybersecurity firm Aikido explains.Advertisement. Scroll to continue reading. All the exfiltrated data is encrypted using asymmetric encryption (RSA), and the encoded public key is the same that was used in previous TeamPCP attacks, such as the LiteLLM PyPI package compromise, JFrog notes. “It is unknown at this point how the library was compromised, but it is likely a direct result of each of TeamPCP’s recent attacks on the open source ecosystems,” JFrog says. Telnyx users who installed either of the malicious versions of the SDK should consider their machines compromised and rotate all credentials, API keys, SSH keys, and other secrets. According to GitGuardian, the blast radius from TeamPCP’s campaign extends well beyond the publicly discussed compromised packages. The cybersecurity firm identified over 470 repositories that run a malicious version of the Trivy GitHub Action, and more than 1,900 packages that included LiteLLM as a dependency, thus potentially propagating the initial infection. The numbers, GitGuardian warns, represent lower bounds, as the analysis is based only on publicly accessible data. When private repositories and transitive dependencies are taken into consideration, the actual scope of the supply chain campaign extends much further. Related: Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure Related: Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs Related: Coruna iOS Exploit Kit Likely an Update to Operation Triangulation Related: AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest Link Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire OpenAI Launches Bug Bounty Program for Abuse and Safety RisksTP-Link Patches High-Severity Router VulnerabilitiesCoruna iOS Exploit Kit Likely an Update to Operation TriangulationHightower Holding Data Breach Impacts 130,000BIND Updates Patch High-Severity VulnerabilitiesChinese Hackers Caught Deep Within Telecom Backbone InfrastructureCisco Patches Multiple Vulnerabilities in IOS SoftwareOnit Security Raises $11 Million for Exposure Management Platform Latest News Russian APT Star Blizzard Adopts DarkSword iOS Exploit KitEuropean Commission Reports Cyber Intrusion and Data TheftHacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained in WarfareExploitation of Fresh Citrix NetScaler Vulnerability BeginsFBI Confirms Kash Patel Email Hack as US Offers $10M Reward for HackersF5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the WildCloudflare-Themed ClickFix Attack Drops Infiniti Stealer on MacsPro-Iranian Hacking Group Claims Credit for Hack of FBI Director Kash Patel’s Personal Account Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — TeamPCP
• malware — Telnyx Python SDK v4.87.1
• malware — Telnyx Python SDK v4.87.2
• malware — LiteLLM PyPI package (compromised)
• malware — Trivy GitHub Action (malicious versions)