Telnyx PyPI Package Compromise Fuels Vect Ransomware Affiliate Campaign and First Victim Claim
What Happened – Attackers hijacked the official Telnyx Python SDK on PyPI, injecting malicious code that contacts a C2 server and drops the Vect ransomware payload. The compromised package was used by downstream developers, enabling a mass‑affiliate ransomware operation; the first victim, a mid‑size SaaS provider, publicly confirmed data loss.
Why It Matters for TPRM –
- Supply‑chain compromise can bypass traditional perimeter defenses.
- Malicious SDKs expose API credentials and customer data across multiple tenants.
- Affiliate ransomware programs amplify impact, turning a single compromised library into a multi‑victim outbreak.
Who Is Affected – Telecom‑as‑a‑Service (Telnyx), SaaS platforms that integrate Telnyx APIs, developers relying on the PyPI package, and any downstream customers of those services.
Recommended Actions –
- Conduct an immediate inventory of all Telnyx SDK versions in use.
- Replace any pre‑compromise versions with the verified release and rotate Telnyx API keys.
- Review dependency‑scanning tools for PyPI supply‑chain alerts and enforce signed package verification.
- Engage Telnyx security team for remediation status and demand evidence of improved package signing processes.
Technical Notes – Attack vector: third‑party dependency compromise on PyPI; malicious code executed on pip install, establishing a reverse shell and delivering Vect ransomware. No public CVE yet; data types at risk include API tokens, call‑record metadata, and customer identifiers. Source: SANS Internet Storm Center