Security researchers have uncovered a sophisticated supply chain attack where threat actors, identified as TeamPCP, successfully backdoored the popular Telnyx Python SDK. This malicious code, introduced onto the Python Package Index (PyPI), aimed to steal sensitive credentials from developers across Windows, macOS, and Linux operating systems. The compromising versions, 4.87.1 and 4.87.2, were published on March 27, 2026, with no corresponding commits in the official GitHub repository, raising immediate concerns about the authenticity of the widely used library which saw over 700,000 downloads in February alone.
This incident follows closely on the heels of another attack attributed to TeamPCP, which compromised the LiteLLM AI proxy package just three days prior. This pattern suggests a concerted effort by the group to target open-source libraries integral to AI development and the broader developer toolchain. The rapid succession of these attacks indicates TeamPCP possesses a refined operational capability to inject malicious code into legitimate packages, evading initial detection by security mechanisms.
Telnyx Python SDK Backdoored: A Widespread Credential Theft Campaign
Trend Micro analysts were instrumental in identifying and documenting the compromise of the Telnyx Python SDK. Both malicious packages were quickly quarantined by PyPI at 10:13 UTC on March 27, 2026, approximately 6.5 hours after their discovery. According to the researchers, the malicious payload was embedded directly within the telnyx/_client.py file, designed to execute automatically upon module import, meaning a simple import telnyx statement was sufficient to trigger the attack.
The implications of this attack vector are severe. Any developer or organization that downloaded or installed versions 4.87.1 or 4.87.2 should consider their systems compromised. The malware was engineered to exfiltrate credentials to an attacker-controlled server, employing a robust encryption chain utilizing AES-256-CBC and RSA-4096 to obscure the transmission. The broad compatibility of the attack, impacting Windows, macOS, and Linux, further amplifies its reach. Notably, Windows users were also exposed to a boot persistence mechanism designed to ensure the malware remained active across system reboots.
PyPI has since taken action to quarantine the compromised versions. The last known legitimate release is version 4.87.0. Developers and organizations are strongly advised to immediately downgrade to this clean version and to rotate any credentials that may have been accessible from affected machines. This proactive measure is crucial to mitigate potential further compromise and unauthorized access.
WAV Steganography: Novel Malware Concealment Method
A key technical innovation in this attack is TeamPCP’s use of WAV audio files to conceal the credential-stealing payload. Unlike the previous LiteLLM attack, where a Base64 encoded harvester was embedded directly in the source code, the Telnyx variant downloaded the malware dynamically from a command-and-control (C&C) server located at 83[.]142[.]209[.]203:8080. This technique allowed the malicious code to be hidden within seemingly innocuous WAV files, which bypass standard MIME-type checks and file extension filters, leaving no direct evidence of the harvester within the package’s source code.
The decoded Base64 payload for Linux systems facilitated the download of the WAV file, which was then decoded and executed. The extraction process leveraged Python’s wave module to read audio frames. The data within these frames was then Base64 decoded and split: the initial 8 bytes served as an XOR key, while the subsequent bytes constituted the encrypted payload. Each byte was XORed against this rotating key to recover the cleartext harvester. This sophisticated method rendered static analysis of the package largely ineffective, as the core malicious logic resided externally.
Furthermore, the malicious code was deliberately fragmented across three distinct sections within the _client.py file, making it significantly more challenging to detect through superficial code reviews. On Windows systems, a disguised executable named msbuild.exe was installed in the Startup folder, a common technique for establishing boot persistence and ensuring the malware automatically launched upon system restart.
Organizations are advised to monitor for unusual WAV file downloads originating from non-media-related IP addresses over port 8080, as well as outbound HTTP requests featuring the X-Filename: tpcp.tar.gz header. The presence of unexpected msbuild.exe files within user Startup directories should also be a cause for concern. Best practices recommend pinning all PyPI dependencies by hash and closely monitoring CI/CD pipelines for any anomalous audio file downloads or unexpected outbound network connections. The ongoing evolution of supply chain attacks underscores the need for continuous vigilance and layered security approaches within software development lifecycles.