HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔍 ThreatIntel

Supply Chain Attack Compromises Telnyx Python SDK, Deploys Credential‑Stealing Malware via WAV Files

TeamPCP hijacked the official Telnyx Python SDK on PyPI, publishing backdoored versions that deliver a WAV‑embedded payload capable of stealing SSH keys, cloud tokens, and other secrets. The incident highlights the risk of compromised third‑party libraries for organizations that integrate Telnyx communication services.

🛡️ LiveThreat™ Intelligence · 📅 March 28, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
🔍
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Supply Chain Attack Compromises Telnyx Python SDK, Deploys Credential‑Stealing Malware via WAV Files

What Happened — Threat actor TeamPCP hijacked the official Telnyx Python SDK on PyPI, publishing backdoored versions 4.87.1 and 4.87.2. The malicious code drops a second‑stage payload hidden inside a WAV audio file that steals SSH keys, cloud tokens, cryptocurrency wallets, and other secrets on Linux/macOS, and installs a persistent executable on Windows.

Why It Matters for TPRM

  • A compromised third‑party SDK can silently infect any downstream application that imports it, expanding the attack surface across multiple industries.
  • Credential‑stealing payloads enable lateral movement into cloud environments, Kubernetes clusters, and privileged pods, threatening data confidentiality and service integrity.
  • The incident demonstrates the risk of stolen publishing credentials on open‑source registries, a vector often overlooked in vendor risk assessments.

Who Is Affected — SaaS/tech vendors, cloud‑native developers, telecom/communication service providers, and any organization that integrates Telnyx’s communication APIs.

Recommended Actions

  • Immediately audit all environments for the presence of Telnyx 4.87.1/4.87.2 or any unexpected imports of the telnyx package.
  • Revoke and rotate all PyPI publishing credentials; enforce multi‑factor authentication for package maintainers.
  • Deploy SCA tools that verify package integrity (e.g., hash checks, provenance verification) before allowing production deployments.
  • Conduct a credential‑theft impact assessment: rotate SSH keys, cloud tokens, and secrets that may have been exfiltrated.

Technical Notes — The malicious telnyx/_client.py executes on import, spawning a detached process that downloads a WAV file (ringtone.wav or hangup.wav). Steganographic XOR‑encrypted code is extracted in‑memory, harvesting secrets and, if Kubernetes is present, creating privileged pods to capture cluster credentials. Persistence on Windows is achieved via a copy of msbuild.exe placed in the Startup folder. The compromise appears to stem from stolen PyPI publishing account credentials. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/backdoored-telnyx-pypi-package-pushes-malware-hidden-in-wav-audio/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →