The popular Telnyx Python SDK on PyPI to deploy a multi‑stage credential‑stealing operation that targets cloud infrastructure, Kubernetes clusters, and developer environments at scale.
On March 27, 2026, TeamPCP uploaded two malicious Telnyx SDK releases, versions 4.87.1 and 4.87.2, directly to PyPI at around 03:51 UTC, bypassing the normal GitHub‑backed release flow used by the official maintainers.
The legitimate Telnyx repository still shows 4.87.0 as the latest tagged version, a clear red flag that the PyPI publishing token was hijacked and abused outside the standard CI/CD pipeline.
Both malicious versions remained available for roughly four hours before PyPI intervened and quarantined them, during which time any installation of these releases should be treated as a probable compromise.
The incident, attributed to the threat actor TeamPCP, is part of a rapid, multi‑ecosystem supply chain campaign that has already hit Trivy, Checkmarx, LiteLLM, and dozens of npm packages in less than two weeks.
The Telnyx package is widely adopted, with hundreds of thousands to over a million monthly downloads, so the blast radius includes not only direct users but every downstream project that pins or vendors the SDK.
Because the library is typically deployed in back‑end services that handle API keys and real‑time communication workflows, it often runs in environments saturated with high‑value secrets.
Telnyx Python SDK
TeamPCP’s modification is small but surgical: a single internal file, _client.py, was altered while the rest of the wheel remains byte‑for‑byte identical to 4.87.0, and all RECORD hashes verify cleanly because the attacker used Telnyx’s own build tooling and a valid PyPI token.
This means common integrity controls such as pip install --require-hashes or lockfile‑based workflows would not have flagged the packages, since they protect against tampering with published artifacts, not malicious content inside a legitimately built release.
The malicious code executes immediately on import: simply running import telnyx is enough to trigger the backdoor, with no extra configuration or function calls required.
On Windows, a setup() routine downloads a WAV file from the attacker’s command‑and‑control (C2) server, extracts a PE payload hidden via steganography, and stores it as msbuild.exe in the user’s Startup folder to gain persistence across logons.
On Linux and macOS, a separate FetchAudio() path spawns a detached Python loader that fetches another WAV‑embedded payload, runs a full credential harvester in memory, encrypts the collected data using hybrid AES‑256 and RSA‑4096, and exfiltrates it back to the same C2.
Once fully staged, the Telnyx malware aggressively sweeps the host for secrets across cloud providers, infrastructure, and applications, including AWS, GCP, and Azure credentials, SSH keys, Docker and registry tokens, database connection files, TLS keys, and common .env files throughout application directories.
The Linux harvester is particularly dangerous in containerized and CI/CD workloads, where it can discover Kubernetes service account tokens, dump secrets across all namespaces through the API, and then deploy privileged pods to every node to drop a persistent Python backdoor as a systemd service.
Exfiltrated data is bundled into a tpcp.tar.gz archive and sent over HTTP to the attacker’s infrastructure, usually 83.142.209.203:8080, with a distinctive X-Filename: tpcp.tar.gz header that now serves as a strong detection signature across multiple TeamPCP operations.
Ongoing TeamPCP Campaign
Security researchers have connected the Telnyx SDK compromise to a broader, fast‑moving TeamPCP supply chain campaign spanning PyPI, npm, Docker Hub, and GitHub Actions.
The PE starts by neutralizing endpoint detection. It reads a clean copy of ntdll.dll from disk, maps it into memory, and overwrites the .text section of the already-loaded ntdll with the clean version.
Previous waves abused CI/CD credentials and registry tokens to push trojanized releases of Trivy, Checkmarx components, LiteLLM, and more than 40 npm packages, using similar loader patterns, steganography tricks, and the same tpcp exfiltration marker.
The group’s tooling includes advanced techniques such as WAV‑ and PNG‑based payload hiding, NTDLL unhooking on Windows, Kubernetes‑aware lateral movement, and modular RAT components, indicating a mature and evolving offensive platform rather than one‑off implants.
The hashing algorithm is djb2 (seed 0x1505, multiplier 33, case-sensitive). A function at 0x140007BC0 walks the export tables of loaded DLLs, hashes each export name, and compares it against a list of target hashes.
Recent reporting also highlights a partnership between TeamPCP, Vect, and BreachForums, combining large‑scale credential theft with established underground marketplaces and ransomware‑aligned operators.
This alignment significantly raises the risk that credentials stolen via Telnyx and related supply chain breaches will be recycled into future extortion, data theft, or ransomware incidents against enterprises and cloud environments.
Any environment that installed Telnyx versions 4.87.1 or 4.87.2 should assume compromise, initiate incident response, and perform full credential rotation across all reachable systems, including SSH keys, Kubernetes tokens, registries, and databases.
Simply uninstalling the package is not sufficient, because the attack drops persistent components on both Windows and Kubernetes nodes that survive removal of the original library.
Defenders should immediately block known C2 infrastructure such as 83.142.209.203:8080 and checkmarx.zone, hunt for HTTP POST traffic with X-Filename: tpcp.tar.gz, and scan for filesystem artifacts like msbuild.exe in the Startup folder or sysmon.py‑style backdoors on Linux hosts.
Longer term, organizations should harden their software supply chain by enforcing multi‑factor authentication and scoped tokens on publishing accounts, adopting OIDC‑based “trusted publisher” flows on PyPI, pinning dependencies with lockfiles, and running installs in ephemeral environments that do not expose long‑lived secrets.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
