Malware Found in Backdoored Telnyx PyPI Package

On March 27, 2026, threat actors compromised the official Telnyx Python SDK on PyPI, distributing backdoored versions that hide malicious payloads inside WAV audio files. The attack exposed developers to silent credential harvesting triggered by a standard package import. If your applications depend on the Telnyx library for communication APIs, you must audit your environments for compromised secrets immediately.

Incident Timeline

The threat actor gained access to the Telnyx maintainer account on PyPI using stolen credentials. They published two malicious iterations of the package early in the UTC morning. Telnyx quarantined both versions and removed them from PyPI by 10:13 UTC. The breach was isolated to the PyPI distribution channel, leaving Telnyx internal infrastructure and APIs secure.

Version	Upload Time (UTC)	Payload Status
4.87.1	03:51	Non-functional (injection error)
4.87.2	04:07	Functional credential stealer

The Telnyx package averages over 740,000 monthly downloads. Any system that installed or updated the package during the six-hour window on March 27 received the malicious code.

Steganography and Payload Mechanics

The malicious code resides in the telnyx/_client.py file and executes automatically upon the import telnyx statement. This design requires no secondary function calls from the host application. The malware uses steganography to conceal secondary payloads inside binary audio frame data.

Execution begins with a network request to a command-and-control server at 83.142.209.203:8080 to download files disguised as standard audio. For Windows targets, this is named hangup.wav, while Linux and macOS receive an unnamed WAV file. The script uses the first 8 bytes of the downloaded file as an XOR key to decode the actual execution instructions hidden within the audio structure.

Platform-Specific Exploitation

The decoded payloads branch execution based on the host operating system. The Linux and macOS payload initiates a script to harvest sensitive environment variables, SSH keys, cryptocurrency wallets, and cloud provider tokens across AWS, GCP, and Azure.

The Windows variant operates differently, prioritizing persistence. It downloads a binary named msbuild.exe and drops it into the system Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\) to ensure the malware runs upon every subsequent login. Exfiltrated data from all platforms is encrypted locally using AES-256-CBC and an RSA-4096 public key before transmission back to the attacker infrastructure in a tpcp.tar.gz archive.

Campaign Attribution

Security researchers attribute this compromise to TeamPCP based on the reuse of specific RSA keys and exfiltration headers. This event matches patterns observed in a multi-week credential-chaining campaign targeting developer infrastructure.

The group previously targeted Trivy, multiple npm packages, Checkmarx GitHub Actions, and executed a highly publicized supply chain attack on LiteLLM. The velocity of these compromises follows a string of security incidents in the developer ecosystem, including the recent Langflow vulnerability, highlighting the severe risk of unpinned dependencies in production environments.

Because the malware exfiltrates environment data immediately upon execution, rolling back the package version to the last clean release (4.87.0) does not secure an affected environment. You must rotate all API keys, database credentials, and cloud tokens that were accessible to the host machine during the window of compromise. Windows administrators must also manually check for and delete the rogue msbuild.exe file from the Startup directory to break the persistence loop.