A new phase in an ongoing software supply chain attack campaign has compromised the popular Python package Telnyx, with malicious releases published to PyPI. The activity is attributed to the threat group TeamPCP, previously linked to the compromise of tools such as Trivy, KICS and the litellm library. In this incident, the attackers uploaded two Trojanized Telnyx versions — 4.87.1 and 4.87.2 — embedding a covert credential‑stealing component.
The primary objective of these modified packages is the theft of sensitive data and credentials from developer workstations and CI/CD environments. To evade traditional detection, the payload is concealed inside a seemingly benign WAV audio file, a technique that significantly complicates both network monitoring and disk forensics.
Malicious Telnyx Python Releases on PyPI and Current Status
The weaponized builds telnyx 4.87.1 and 4.87.2 were uploaded to the PyPI repository on 27 March 2026. Once imported by a Python application, the package activates embedded malware designed to harvest credentials, environment variables, tokens and other secrets that are highly valuable in modern DevOps pipelines.
Security vendors including Aikido, Endor Labs, Ossprey Security, SafeDep, Socket and StepSecurity report that the last known clean release is 4.87.0. The Telnyx project on PyPI has been placed in a quarantine state to limit further spread of the malicious versions, but any environments that installed 4.87.1 or 4.87.2 should be treated as potentially compromised.
How the Telnyx Python Package Was Weaponized
Analysis shows the attackers injected malicious logic into the “telnyx/_client.py” module. Because this file is loaded when the package is imported, the attack is execution‑on‑import: no additional user interaction is required. The malware supports Windows, Linux and macOS, enabling broad impact across heterogeneous development and server fleets.
Linux and macOS: Multi‑Stage In‑Memory Attack with Audio Steganography
On Linux and macOS, Socket’s research describes a three‑stage execution chain:
1) Download of a WAV file and extraction of hidden code using audio steganography (data concealed inside audio samples);
2) In‑memory execution of a data‑collection module, avoiding persistent binaries on disk;
3) Encrypted exfiltration of collected data to a remote command‑and‑control server.
All temporary files and directories are created under a transient path and are recursively wiped at the end of execution. This design aims to leave a minimal forensic footprint, complicating incident response and post‑compromise analysis.
Windows: Persistence via Fake “msbuild.exe” in Startup Folder
On Windows, the malware retrieves a different WAV file, “hangup.wav”, from the C2 infrastructure. The hidden payload extracted from this file is written to the user’s startup folder as “msbuild.exe”. By masquerading as a legitimate Microsoft build tool and abusing the startup location, the attackers gain persistent execution every time the user logs in, surviving system reboots and enabling longer‑term access.
Audio Steganography Malware and Covert Data Exfiltration
For Linux and macOS targets, the attackers use another WAV file, “ringtone.wav”, which contains the third‑stage collector script. This component aggregates a broad set of sensitive artefacts — credentials, API tokens, configuration files and environment variables — and compresses them into “tpcp.tar.gz”. The archive is then sent via HTTP POST to 83.142.209[.]203:8080.
The key innovation is the use of audio steganography as a delivery channel. Instead of shipping an obvious executable or base64‑encoded blob, the payload is embedded inside a legitimate‑looking media file. Given that many intrusion detection and EDR products still prioritize inspection of executables and scripts, this method significantly improves the attackers’ chances of slipping through monitoring controls.
Probable Theft of the Telnyx PyPI Token and Link to litellm Campaign
The exact method used to compromise the PYPI_TOKEN for the Telnyx project has not yet been definitively established. However, Endor Labs researchers assess that reuse of previously stolen credentials is a likely scenario within the broader TeamPCP campaign.
During the earlier compromise of the litellm library, the attackers deployed a collector that exfiltrated environment variables, .env file contents and shell history from any host importing the package. If a developer workstation or CI/CD runner used both litellm and held a valid Telnyx PyPI token, that token could have been harvested and later abused to publish the malicious Telnyx releases.
Targeting CI/CD Pipelines: Different Tactics for Windows and *nix
The attackers’ platform‑specific tactics reveal different strategic objectives. On Linux and macOS, where CI/CD agents, containers and servers are prevalent, the focus is on a rapid, “smash‑and‑grab” theft of as much data as possible, followed by aggressive cleanup to minimize traces. On Windows, more typical for corporate endpoints, the emphasis is on persistence and repeat access.
This aligns with broader industry observations from past software supply chain incidents such as SolarWinds and the 3CX attack, where compromised build and monitoring tools provided high‑value footholds into otherwise well‑defended environments.
Mitigation Steps for Developers and DevSecOps Teams
Organizations relying on Telnyx, litellm or similar ecosystem components should take immediate action:
1. Verify installed Telnyx versions; if 4.87.1 or 4.87.2 are present, roll back to 4.87.0, conduct host‑level forensics and review authentication, application and CI/CD logs.
2. Revoke and rotate all PyPI tokens and other secrets that may have been accessible on systems using litellm or compromised Telnyx builds.
3. Enforce strict dependency version pinning and integrity verification (hash pinning, Sigstore, private mirrors) in build pipelines.
4. Monitor network traffic for known indicators of compromise, including connections to 83.142.209[.]203:8080, and investigate unusual media file downloads from CI/CD environments.
5. Apply least‑privilege access to CI/CD runners, security scanners and build tools, segregating and tightly controlling access to secrets.
6. Regularly audit development tooling — including IDE plugins and third‑party analyzers — as part of a broader software supply chain risk management program.
The Telnyx PyPI compromise, following similar activity against litellm, Trivy and KICS, underscores a critical shift: developer and security tools themselves are becoming primary attack surfaces. Organizations that proactively harden their CI/CD pipelines, verify the provenance and integrity of open‑source dependencies and continuously monitor for anomalous behavior will be significantly better positioned to detect and contain the next wave of supply chain attacks before a seemingly innocuous WAV file delivers a far more damaging payload into production.
