TeamPCP Compromises Telnyx Python SDK on PyPI Using WAV Steganography, Steals Credentials

The threat actor group TeamPCP has compromised the official Telnyx Python SDK on the Python Package Index (PyPI), publishing two backdoored versions: 4.87.1 and 4.87.2 on March 27, 2026, between 03:51 UTC and 10:13 UTC. 

Telnyx is a widely used cloud communications SDK for programmable voice, SMS, and telephony infrastructure, averaging over 742,000 downloads per month. The malicious code was injected into a single file, telnyx/_client.py, and executed immediately upon importing the package. No install hook or user interaction was required. Version 4.87.1 contained a capitalization typo (Setup() instead of setup()) that rendered the Windows attack path non-functional, prompting the attacker to publish version 4.87.2 just sixteen minutes later with the fix. Both malicious versions have since been quarantined by PyPI, and the last known clean release is version 4.87.0. The Telnyx platform, APIs, and core infrastructure were not compromised. The incident was limited to the PyPI distribution channel.

The attack uses a new delivery mechanism centered on WAV audio steganography, a technique TeamPCP first deployed in a Kubernetes wiper variant on March 22. Instead of embedding the full malicious payload directly in the package source code, the compromised SDK functions as a thin dropper that fetches second-stage payloads from a command-and-control server at 83[.]142[.]209[.]203:8080, disguised as valid .wav audio files. On Linux and macOS, the malware spawns a detached subprocess that downloads ringtone.wav, extracts a 332-line credential harvester from the audio frame data using a base64-plus-XOR decoding scheme, and executes it entirely in memory. The harvester targets sensitive data, including:

• SSH keys and configurations,
• AWS, GCP, Azure, and Kubernetes credentials,
• Docker, npm, Git, and Vault authentication tokens,
• database credentials (PostgreSQL, MySQL, Redis, MongoDB),
• cryptocurrency wallet keys (Bitcoin, Ethereum, Solana, Cardano),
• TLS/SSL certificates and private keys,
• environment files (.env, .env.local, .env.production) searched six directories deep,
• shell and database command histories,
• system files including /etc/passwd and /etc/shadow.

If AWS credentials are found, the harvester actively exploits them by calling AWS IMDS, Secrets Manager, and SSM Parameter Store APIs. If a Kubernetes service account token is present, it enumerates all cluster secrets and deploys privileged pods to every node in the kube-system namespace, mounting the host root filesystem to install persistence implants directly on the nodes. Once collection is complete, stolen data is encrypted with a random AES-256-CBC session key, the session key is wrapped with the attacker's RSA-4096 public key using OAEP padding, and the bundle is exfiltrated as tpcp.tar.gz via an HTTP POST request. On Linux, the malware also installs a persistent polling implant (audiomon.service) that checks the C2 server every 45–55 minutes for new WAV payloads to execute. On Windows, the malware downloads hangup.wav, extracts a native Windows executable from the audio frames, and drops it as msbuild.exe into the Windows Startup folder for persistence across reboots, with a hidden lock file enforcing a 12-hour re-download cooldown.

This compromise is the latest escalation in a weeks-long cascading supply chain campaign by TeamPCP that began on March 19 with the backdooring of Aqua Security's Trivy vulnerability scanner, tracked as CVE-2026-33634 (CVSS score 9.4). 

Credentials stolen from Trivy-running CI/CD pipelines were used to propagate the CanisterWorm backdoor across 46+ npm packages on March 20, compromise Checkmarx's KICS GitHub Actions and OpenVSX extensions on March 23, and poison LiteLLM versions 1.82.7 and 1.82.8 on PyPI on March 24.

Endor Labs researchers assess that the Telnyx PyPI publishing token was most likely obtained through the LiteLLM credential harvest itself. TeamPCP's harvester swept environment variables, .env files, and shell histories from every system that imported LiteLLM, and the three-day gap between attacks fits the time needed to sift through stolen credentials and select the next target. Attribution to TeamPCP is confirmed with high confidence based on a byte-for-byte identical RSA-4096 public key embedded in both the LiteLLM and Telnyx payloads, identical encryption and exfiltration patterns, and the consistent tpcp.tar.gz archive naming signature. The group has also announced collaborations with LAPSUS$ and an emerging ransomware group called Vect, signaling a shift where supply chain compromises are being weaponized as entry points for follow-on extortion and ransomware operations.

Users who installed or upgraded the Telnyx Python package between 03:51 UTC and 10:13 UTC on March 27, 2026 should immediately downgrade to version 4.87.0 and treat the affected environment as fully compromised. All credentials accessible from the affected system, including SSH keys, cloud provider tokens, API keys, database passwords, Kubernetes service account tokens, and CI/CD secrets should be rotated without delay. 

• On Windows, administrators should check for msbuild.exe in the Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\) and delete it along with any accompanying .lock file.
• On Linux, persistence artifacts should be checked at ~/.config/audiomon/ and the audiomon.service systemd unit. In Kubernetes environments, administrators should look for node-setup-* pods in the kube-system namespace. 

Network logs should be audited for any connections to 83[.]142[.]209[.]203:8080, and the IP should be blocked at the firewall. Long-term, package maintainers are strongly advised to enable PyPI Trusted Publishers (OIDC) to eliminate long-lived API tokens, pin dependencies with hashes, and use network-isolated builds.