BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Telnyx PyPI Package Compromised in Supply Chain Attack

Malicious versions of the telnyx package deployed via audio steganography to steal data.

  • Malicious versions of the popular telnyx Python package (4.87.1 and 4.87.2) were published to PyPI on March 27, 2026, using audio steganography to hide credential-stealing code.
  • The threat actor TeamPCP, linked to prior attacks on Trivy and litellm, is suspected to have gained the PyPI token from a previous credential harvesting operation.
  • The malware uses a sophisticated, segmented attack chain: delivering long-term persistence on Windows and a stealthy “smash-and-grab” data theft operation on Linux and macOS systems.
  • Users must immediately downgrade to version 4.87.0, rotate all exposed secrets, and block the command-and-control server at 83.142.209[.]203.

On March 27, 2026, the threat actor TeamPCP compromised the widely used telnyx Python package by uploading two malicious versions designed to steal sensitive data. This latest supply chain attack demonstrates a concerning evolution in the group’s tactics, which distributed trojanized versions of litellm just days earlier.

- Advertisement -

The malware, injected into the package’s source code, uses a .WAV file to conceal its payload through audio steganography. According to Socket, the attack leaves near-zero forensic artifacts by operating within a self-destructing temporary directory. On Windows, it achieves persistence by dropping a file into the Startup folder, while on Linux and macOS, it executes a rapid data harvest before vanishing.

Consequently, the campaign puts a spotlight on the elevated access security and infrastructure tools require. As Snyk noted, tools like Trivy and litellm need broad read access by design. The attacker likely obtained the PyPI token through the initial litellm compromise, as suggested by Endor Labs researchers.

The strategic split in attack methodology is clear across operating systems. “Windows gets persistence… Linux/macOS gets smash-and-grab,” Socket explained. This sophisticated approach signals a shift where ransomware groups are now weaponizing open-source infrastructure.

To mitigate the threat, developers should audit for the malicious versions and revert to 4.87.0. They must also rotate all secrets and block the C2 domain, 83.142.209[.]203. The ongoing campaign reflects a dangerous maturation in software supply chain attacks, turning trusted development tools into potent attack vectors.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

New Webinar: Outpace AI Attacks with Zero Trust

AI-powered attacks, like the Mythos model, now execute in minutes what previously took attackers...

Amazon Stock Drops 13%: Should You Sell or Hold Before Earnings?

Amazon shares fell 13% into a correction amid concerns over $200 billion in capital...

MoonPay’s MoonAgents AI assistant now on Telegram

MoonPay launched support for its AI crypto assistant, MoonAgents, on the Telegram messaging platform...

GoPro founder loans $20M to save sinking company

GoPro founder and CEO Nicholas Woodman is extending $20 million in financing to the...

Sony Bank gains US approval to launch dollar stablecoins

Sony Bank received preliminary approval from the OCC to establish a US trust bank...

Must Read

How Cryptocurrency Works For Beginners?

Welcome to the world of cryptocurrency! If you're new to this exciting and rapidly evolving landscape, you might feel like Alice in Wonderland, exploring...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading