Malware hidden in backdoored Telnyx PyPI package
▼ Summary
– Attackers compromised the legitimate Telnyx AI Voice Agent SDK and published malicious versions (4.87.1 and 4.87.2) on the PyPI repository.
– The compromise likely occurred because the attackers previously stole PyPI publishing credentials during an earlier breach of the litellm package.
– The malicious package uses a new delivery method, hiding its payload in a WAV file and fetching the final malware from a command-and-control server at runtime.
– The malware steals a wide range of sensitive data, including cloud credentials and SSH keys, and can deploy persistent implants across entire Kubernetes clusters.
– Security researchers attribute this attack to TeamPCP based on multiple technical indicators, such as a specific encryption scheme, used in their previous supply chain attacks.
A new software supply chain attack has emerged, with the Telnyx SDK for AI Voice Agent services being the latest target. Researchers from Endor Labs have identified malicious versions of this popular Python package uploaded to the official PyPI repository. The threat actors, identified as TeamPCP, backdoored the legitimate code and published two compromised versions, 4.87.1 and 4.87.2, in quick succession on March 27, 2026. The first version contained a typo that rendered the malicious code non-functional, forcing the attackers to issue a corrected release shortly after.
The attack vector likely stems from a previous compromise. According to Endor Labs researcher Kiran Raj, the group’s earlier breach of the LiteLLM project provided them with a trove of stolen credentials. Their malware harvested environment variables and configuration files from any system that imported LiteLLm. If a developer or CI pipeline with LiteLLm installed also had access to the Telnyx PyPI publishing token, that credential was likely captured. The three-day gap between the LiteLLm and Telnyx incidents aligns with the time needed to sift through stolen data and select the next high-value target. The telnyx project on PyPI has now been quarantined.
This latest incident reveals an evolution in TeamPCP’s malware delivery tactics. Unlike previous attacks, the malicious payload was embedded within the audio frame data of a legitimate WAV file. The malicious packages were also smaller, as the real payload is fetched at runtime from a command-and-control server using a raw IP address. When the compromised Telnyx package is imported, it executes immediately. On Windows systems, it retrieves and installs a persistent executable. On Linux and macOS, it deploys a sophisticated information stealer.
This stealer is designed to exfiltrate a vast array of sensitive data, including SSH keys, cloud credentials, and authentication details from tools like Docker, npm, and Git. It also targets database credentials, environment configuration files, shell histories, and cryptocurrency wallet data. The malware exhibits particularly aggressive behavior in Kubernetes environments. If it discovers a service account token, it attempts to compromise the entire cluster by deploying a privileged pod to every node, mounting the host filesystem to install a persistence implant directly.
Analysts have confirmed the attack bears the hallmarks of TeamPCP, the same group behind the recent Trivy, LiteLLm, and Checkmarx compromises. The attribution is based on multiple technical indicators, including the use of a specific RSA-4096 public key and an identical encryption scheme for data exfiltration seen in the LiteLLm attack. Researchers have published detailed indicators of compromise and advise that any match should be treated as a full-environment breach, necessitating the rotation of all credentials. Further analysis and mitigation guidance are available from SafeDep and Aikido Security researchers.
(Source: Help Net Security)
