TeamPCP, the threat actor behind the supply chain attacks targeting the Trivy security scanner, KICS infrastructure tool, and the litellm Python library, has expanded its campaign to the telnyx Python package on PyPI. Two malicious versions — 4.87.1 and 4.87.2 — were published to the Python Package Index (PyPI) with a hidden credential-stealing payload concealed inside WAV audio files using steganography.
The Malicious Telnyx Packages
The Telnyx Python SDK is an official client library for the Telnyx communications platform, widely used by developers building voice, messaging, and video applications. TeamPCP compromised the package by pushing two trojanized versions that appeared functionally legitimate while secretly delivering a stealer payload.
Malicious versions:
telnyx 4.87.1— published to PyPI in late March 2026telnyx 4.87.2— follow-up malicious version
Both versions included the legitimate Telnyx SDK functionality, making detection more difficult for developers who installed and tested the package without deeper inspection. The stealer payload was embedded within WAV audio files bundled with the package, using steganographic techniques to conceal malicious code within ostensibly benign binary data.
Steganography in WAV Files
The use of audio file steganography as a delivery mechanism represents a notable evasion technique. Steganography hides data inside files in ways that are not visually or audibly apparent — in this case, executable payload bytes were encoded within the WAV audio file's data portion.
This approach offers several advantages for attackers attempting to evade detection:
- Antivirus/EDR evasion: Security tools typically scan executable files and scripts; WAV files are less frequently scrutinized for embedded code
- Obfuscation: The malicious payload is not visible as plaintext in the package contents — casual inspection of package files would not immediately surface the threat
- Legitimate cover: Audio files in an SDK package can appear plausible, particularly for a communications platform SDK that legitimately works with audio formats
The payload was extracted from the WAV file at runtime and executed by the malicious components added to the package.
Objective: Credential Theft
The stealer's primary objective was the exfiltration of sensitive data from developer environments, including:
- API keys and access tokens stored in environment files, configuration files, or shell profiles
- Cloud provider credentials (AWS, GCP, Azure access keys)
- SSH private keys and authentication materials
- Browser-stored credentials and session tokens
- CI/CD environment variables including secrets from automated pipeline environments
Developer environments are high-value targets for credential thieves: a single compromise can yield cloud access keys, source code repository tokens, or CI/CD credentials that provide lateral movement into production infrastructure.
TeamPCP: A Persistent Supply Chain Actor
This attack is part of a broader campaign by TeamPCP that has targeted multiple widely-used developer tools and libraries:
| Previous Target | Type | Impact |
|---|---|---|
| Trivy | Security scanner (Docker/K8s) | CI/CD credential theft via GitHub Actions tag hijacking |
| KICS | Infrastructure-as-Code scanner | Developer toolchain compromise |
| litellm | LLM API library | AI/ML developer targeting |
| telnyx | Communications SDK | Developer/DevOps targeting |
The consistent methodology — targeting widely-used Python packages and developer tools — suggests TeamPCP is focused on developer supply chain compromise as a repeatable attack vector to reach downstream production environments.
Detection and Response
If you installed telnyx 4.87.1 or 4.87.2:
- Immediately remove the malicious versions:
pip uninstall telnyx - Install a verified clean version:
pip install telnyx==4.87.0 # or latest verified clean version - Assume credential compromise — rotate all credentials accessible from the affected environment:
- API keys (Telnyx and any other stored keys)
- Cloud provider access keys
- SSH keys
- Any tokens in environment variables
- Audit CI/CD pipelines for any runs using the malicious versions
- Review deployment logs for unusual outbound connections or data transfers
For supply chain hygiene:
- Pin package versions in production and verify hashes against known-good baselines
- Use dependency scanners (Dependabot, Snyk, Socket.dev) to detect newly malicious package versions
- Enable PyPI Trusted Publishers for packages you maintain to prevent account hijacking
- Monitor PyPI security advisories for packages your projects depend on
Broader Supply Chain Risk
The TeamPCP campaign illustrates the persistent threat posed by supply chain attacks against the Python ecosystem. PyPI's open publishing model — while essential to the ecosystem's vibrancy — means any package can be updated with malicious content if an attacker compromises (or creates) the publisher account.
Security teams should treat new or updated dependency versions with the same scrutiny applied to other external code: verify checksums, review changelogs for anomalies, and run dependency audit tools as part of CI/CD pipelines.
Source: The Hacker News