- Malicious versions of the popular telnyx Python package (4.87.1 and 4.87.2) were published to PyPI on March 27, 2026, using audio steganography to hide credential-stealing code.
- The threat actor TeamPCP, linked to prior attacks on Trivy and litellm, is suspected to have gained the PyPI token from a previous credential harvesting operation.
- The malware uses a sophisticated, segmented attack chain: delivering long-term persistence on Windows and a stealthy “smash-and-grab” data theft operation on Linux and macOS systems.
- Users must immediately downgrade to version 4.87.0, rotate all exposed secrets, and block the command-and-control server at 83.142.209[.]203.
On March 27, 2026, the threat actor TeamPCP compromised the widely used telnyx Python package by uploading two malicious versions designed to steal sensitive data. This latest supply chain attack demonstrates a concerning evolution in the group’s tactics, which distributed trojanized versions of litellm just days earlier.
The malware, injected into the package’s source code, uses a .WAV file to conceal its payload through audio steganography. According to Socket, the attack leaves near-zero forensic artifacts by operating within a self-destructing temporary directory. On Windows, it achieves persistence by dropping a file into the Startup folder, while on Linux and macOS, it executes a rapid data harvest before vanishing.
Consequently, the campaign puts a spotlight on the elevated access security and infrastructure tools require. As Snyk noted, tools like Trivy and litellm need broad read access by design. The attacker likely obtained the PyPI token through the initial litellm compromise, as suggested by Endor Labs researchers.
The strategic split in attack methodology is clear across operating systems. “Windows gets persistence… Linux/macOS gets smash-and-grab,” Socket explained. This sophisticated approach signals a shift where ransomware groups are now weaponizing open-source infrastructure.
To mitigate the threat, developers should audit for the malicious versions and revert to 4.87.0. They must also rotate all secrets and block the C2 domain, 83.142.209[.]203. The ongoing campaign reflects a dangerous maturation in software supply chain attacks, turning trusted development tools into potent attack vectors.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
