Full Report
TeamPCP hackers compromised the Telnyx package on the Python Package Index today, uploading malicious versions that deliver credential-stealing malware hidden inside a WAV file. [...]
Analysis Summary
# Incident Report: TeamPCP Supply-Chain Compromise of Telnyx SDK
## Executive Summary
The official Telnyx Python SDK (telnyx) on the Python Package Index (PyPI) was compromised by the threat actor TeamPCP via stolen maintainer credentials. The attackers uploaded two malicious versions (4.87.1 and 4.87.2) that deliver credential-stealing malware and backdoors hidden within steganographic WAV audio files. The incident impacts a highly popular package with over 740,000 monthly downloads, posing a significant risk of secret exfiltration and Kubernetes cluster takeover.
## Incident Details
- **Discovery Date:** March 27, 2026
- **Incident Date:** March 27, 2026
- **Affected Organization:** Telnyx (and users of the telnyx PyPI package)
- **Sector:** Technology / Communications (VoIP, SMS, IoT SDK)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 27, 2026, 03:51 UTC
- **Vector:** Supply-chain compromise via PyPI registry account takeover.
- **Details:** Attackers likely used stolen credentials to gain access to the Telnyx publishing account on PyPI.
### Lateral Movement
- **Cloud/K8s Movement:** On Linux systems, the malware enumerates Kubernetes cluster secrets and attempts to deploy privileged pods across nodes to gain access to underlying host systems.
### Data Exfiltration/Impact
- **Data Stolen:** SSH keys, cloud tokens, cryptocurrency wallets, environment variables, system secrets, and Kubernetes cluster secrets.
- **System Impact:** Persistence established on Windows machines; potential full host takeover on Linux/macOS.
### Detection & Response
- **Detection:** Identified by security firms Aikido, Socket, and Endor Labs based on RSA keys and exfiltration patterns linked to TeamPCP.
- **Timeline of Releases:**
- 03:51 UTC: Version 4.87.1 published (featured a non-functioning malicious payload).
- 04:07 UTC: Version 4.87.2 published (functioning malicious payload).
- **Response Actions:** Public disclosure by researchers; notification to PyPI; advisory for users to roll back to version 4.87.0.
## Attack Methodology
- **Initial Access:** Account Takeover (ATO) of PyPI maintainer credentials.
- **Persistence:** On Windows, drops `msbuild.exe` into the Startup folder.
- **Privilege Escalation:** Deployment of privileged Kubernetes pods to access host nodes.
- **Defense Evasion:** Use of steganography (malware hidden in `ringtone.wav` and `hangup.wav`); XOR-based decryption; execution in memory (Linux/macOS); use of a lock file to limit execution noise (Windows).
- **Credential Access:** Harvesting of SSH keys, environment variables, and cloud provider tokens.
- **Discovery:** Enumeration of Kubernetes cluster secrets.
- **Collection:** Automated harvesting of sensitive files and environment data.
- **Exfiltration:** Data sent to actor-controlled C2 servers.
- **Impact:** Compromise of developer environments and production CI/CD pipelines.
## Impact Assessment
- **Financial:** Potential for significant loss via stolen cryptocurrency wallets and unauthorized cloud resource usage.
- **Data Breach:** High risk; exfiltration of sensitive credentials that provide access to broader corporate infrastructures.
- **Operational:** Developers must roll back versions and rotate all secrets, causing significant remediation overhead.
- **Reputational:** Damage to Telnyx’s brand as a trusted SDK provider.
## Indicators of Compromise
- **File Indicators:**
- `telnyx/_client.py` (Modified containing malicious import trigger)
- `ringtone.wav` (Linux/macOS second-stage)
- `hangup.wav` (Windows second-stage)
- `msbuild.exe` (Malicious executable in Startup folder)
- **Behavioral Indicators:**
- Python processes spawning detached child processes downloading files from external IPs.
- Unexpected creation of privileged Kubernetes pods.
- Persistent `msbuild.exe` entries in Windows Startup.
## Response Actions
- **Containment:** Security researchers flagged the malicious versions for removal from PyPI.
- **Eradication:** Recommended rollback to clean version (4.87.0). Identification and deletion of `msbuild.exe` and associated WAV files on infected hosts.
- **Recovery:** Mandatory rotation of all secrets (SSH, Cloud tokens, API keys) present on any machine that imported the malicious package.
## Lessons Learned
- **Credential Security:** MFA is critical for package registry accounts to prevent Account Takeovers.
- **Dependency Risk:** Even "official" SDKs from reputable companies are targets for supply-chain attacks.
- **Steganography Detection:** Traditional file scanning may miss malicious payloads hidden in media files (WAV).
## Recommendations
- **Version Pinning:** Pin dependencies to known-good versions (e.g., `telnyx==4.87.0`) and use hash verification (lock files).
- **Secrets Management:** Use short-lived credentials and OIDC for CI/CD instead of long-lived environment variables.
- **Monitoring:** Implement runtime monitoring for unexpected network connections or file drops from package installation processes.
- **MFA:** Ensure all maintainers of public packages utilize hardware-based MFA for registry accounts.