TeamPCP Distributes Malicious Telnyx PyPI Packages, Embeds Credential Stealer in WAV Files
What Happened — On March 27 2026, the threat actor known as TeamPCP published two compromised versions (4.87.1 and 4.87.2) of the telnyx Python package to the Python Package Index (PyPI). The malicious code hides a credential‑harvesting stealer inside a seemingly innocuous .WAV file, which is executed when the package is imported.
Why It Matters for TPRM —
- Supply‑chain compromise of a widely used communications API can expose downstream customers to credential theft.
- PyPI is a trusted source; malicious uploads erode confidence in third‑party code repositories.
- Organizations that integrate Telnyx for voice, messaging, or verification services may inadvertently exfiltrate API keys, user data, and internal secrets.
Who Is Affected — Technology SaaS providers, telecom/communications platforms, and any enterprise that incorporates the Telnyx Python SDK into production workloads.
Recommended Actions —
- Immediately audit all environments for the malicious
telnyxversions and replace them with a clean release. - Enforce strict package‑allow‑list policies and use signed packages where possible.
- Rotate any Telnyx API credentials that may have been exposed and monitor for anomalous usage.
Technical Notes — The malicious payload is concealed in a .WAV audio file that is decoded and executed at runtime, leveraging Python’s dynamic import mechanisms. No CVE is associated; the attack exploits trust in the PyPI supply chain. Data types at risk include API keys, authentication tokens, and any secrets stored in environment variables accessed by the compromised package. Source: The Hacker News