TeamPCP Hijacks Telnyx PyPI Package to Deploy WAV-Hidden Stealer

The threat actor TeamPCP has struck again, this time compromising the telnyx Python package on PyPI and using audio steganography to conceal credential-stealing malware inside WAV files. The attack continues an aggressive supply chain campaign that has already hit Trivy, litellm, and KICS in recent weeks.

What Happened

On March 27, 2026, attackers pushed two malicious versions of the telnyx SDK—4.87.1 and 4.87.2—to the Python Package Index. According to researchers at Aikido, both versions remained available for approximately six hours between 03:51 UTC and 10:13 UTC before PyPI quarantined the project.

The telnyx package provides a Python interface to Telnyx's telecommunications API and has accumulated over 742,000 downloads. Anyone who installed or upgraded the library during that window should assume full compromise.

How the Attack Works

TeamPCP injected malicious code into telnyx/_client.py, causing it to execute automatically when applications import the package. The payload differs by operating system:

Windows systems:

1. The malware downloads hangup.wav from a command-and-control server
2. It extracts an embedded executable from the audio file using steganography
3. A file named msbuild.exe drops into the Windows Startup folder for persistence across reboots

Linux and macOS systems:

1. A different audio file (ringtone.wav) delivers the payload
2. A Python-based collector script runs entirely in memory
3. The malware operates within a self-destructing temporary directory, leaving near-zero forensic artifacts

Both variants harvest credentials, environment variables, shell histories, and Kubernetes service account tokens. Stolen data gets compressed into tpcp.tar.gz and exfiltrated via HTTP POST with XOR obfuscation.

Indicators of Compromise

Security teams should monitor for:

• C2 server: 83.142.209[.]203:8080
• Windows artifact: msbuild.exe present in Startup directories
• Network traffic: HTTP POST requests containing tpcp.tar.gz
• Audio files: Downloads of hangup.wav or ringtone.wav from suspicious sources

The Bigger Picture

This compromise is part of TeamPCP's broader campaign targeting developer tooling across multiple ecosystems. The group has announced collaborations with LAPSUS$ and an emerging ransomware operation called Vect, signaling ambitions beyond simple credential theft.

The telnyx attack demonstrates increasing sophistication. Hiding payloads inside audio files isn't new, but combining steganography with software supply chain compromise creates a detection challenge—network security tools rarely inspect audio traffic, and the legitimate-looking WAV downloads blend into normal application behavior.

For organizations tracking this threat actor, the pattern is now clear: TeamPCP targets popular developer packages, compromises maintainer credentials or CI/CD pipelines, and rapidly deploys credential stealers before detection. The group moves fast—the Trivy and litellm compromises followed similar playbooks within days of each other.

Immediate Actions

1. Audit all Python environments for telnyx versions 4.87.1 or 4.87.2
2. Downgrade to version 4.87.0 immediately if affected
3. Rotate all secrets—assume complete credential exposure if the malicious versions ran
4. Search Windows systems for msbuild.exe in Startup folders
5. Block the C2 infrastructure at your network perimeter

The telnyx project on GitHub has acknowledged the incident and confirmed that version 4.87.0 remains safe. PyPI has quarantined the package pending further review.

Organizations using Python in CI/CD pipelines should consider pinning dependencies by hash rather than version number—a practice that would have prevented automatic installation of the compromised releases. For broader guidance on protecting development environments, see our supply chain attack defense guide.