HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Supply Chain Attack Compromises Telnyx PyPI Package, Fuels Vect Ransomware Affiliate Campaign and First Victim Claim

Attackers hijacked the official Telnyx Python SDK on PyPI, embedding malicious code that delivers Vect ransomware. The compromise enabled a mass‑affiliate campaign and led to the first publicly disclosed victim, highlighting a critical supply‑chain risk for telecom and SaaS customers.

LiveThreat™ Intelligence · 📅 March 28, 2026· 📰 isc.sans.edu
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
isc.sans.edu

Telnyx PyPI Package Compromise Fuels Vect Ransomware Affiliate Campaign and First Victim Claim

What Happened – Attackers hijacked the official Telnyx Python SDK on PyPI, injecting malicious code that contacts a C2 server and drops the Vect ransomware payload. The compromised package was used by downstream developers, enabling a mass‑affiliate ransomware operation; the first victim, a mid‑size SaaS provider, publicly confirmed data loss.

Why It Matters for TPRM

  • Supply‑chain compromise can bypass traditional perimeter defenses.
  • Malicious SDKs expose API credentials and customer data across multiple tenants.
  • Affiliate ransomware programs amplify impact, turning a single compromised library into a multi‑victim outbreak.

Who Is Affected – Telecom‑as‑a‑Service (Telnyx), SaaS platforms that integrate Telnyx APIs, developers relying on the PyPI package, and any downstream customers of those services.

Recommended Actions

  • Conduct an immediate inventory of all Telnyx SDK versions in use.
  • Replace any pre‑compromise versions with the verified release and rotate Telnyx API keys.
  • Review dependency‑scanning tools for PyPI supply‑chain alerts and enforce signed package verification.
  • Engage Telnyx security team for remediation status and demand evidence of improved package signing processes.

Technical Notes – Attack vector: third‑party dependency compromise on PyPI; malicious code executed on pip install, establishing a reverse shell and delivering Vect ransomware. No public CVE yet; data types at risk include API tokens, call‑record metadata, and customer identifiers. Source: SANS Internet Storm Center

📰 Original Source
https://isc.sans.edu/diary/rss/32838

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →