TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides

What Happened

The threat actor known as TeamPCP has executed a software supply chain attack by compromising the official telnyx Python package on the Python Package Index (PyPI). The attackers uploaded two malicious versions of the library, which, when installed, deploy credential-stealing malware. The attack leverages a sophisticated technique of hiding the malicious payload inside a WAV audio file to evade detection. This incident follows a pattern of similar supply chain attacks by this group, which has previously targeted popular open-source security tools like Trivy, KICS, and litellm.

Why It Matters

This attack directly targets the developer ecosystem, a high-value vector for compromising downstream applications and organizations. By poisoning a legitimate package, attackers can gain a foothold in any environment where the tainted library is used, potentially leading to large-scale data theft from development and production systems. The use of PyPI, a central repository trusted by millions, amplifies the potential impact, as automated builds and dependencies can silently pull in the malicious code. It underscores the persistent threat to open-source software integrity and the need for robust software composition analysis.

Technical Details

The malicious telnyx package versions contain obfuscated code that, upon execution, retrieves a second-stage payload. This payload is concealed within a WAV audio file using steganography - a method of hiding data within another file format. The extracted payload is a Python-based information stealer designed to harvest sensitive data from the infected system, including credentials, environment variables, and configuration files. The attack does not exploit a software vulnerability (no CVE assigned) but relies on social engineering and trust in the PyPI repository. The package names involved are telnyx with the specific malicious version numbers being identified and removed by PyPI maintainers.

Immediate Risk

The immediate risk is MEDIUM. While the malicious packages have been taken down from PyPI, any systems that installed the compromised versions between their upload and removal remain infected and actively leaking data. Developers and organizations that use or have recently updated the telnyx package must assume compromise and conduct forensic analysis. The risk is particularly acute for projects that automatically install dependencies without version pinning, as they may have pulled the tainted code without direct human intervention.

Security Insight

This attack reinforces that software supply chain security must extend beyond vulnerability management to include behavior analysis and provenance verification. Security teams should enforce policies for using private package repositories with curated allow-lists and require hash-pinning for all dependencies (e.g., using pip’s --require-hashes option). Automated tools should be configured to detect anomalous package behaviors, such as unexpected network calls or file system writes post-installation. For this specific incident, organizations should scan for the identified malicious telnyx versions and the associated payload indicators, and rotate any credentials that may have been exposed from affected systems.