Full Report
TeamPCP, the threat actor behind the supply chain attack targeting Trivy, KICS, and litellm, has now compromised the telnyx Python package by pushing two malicious versions to steal sensitive data. The two versions, 4.87.1 and 4.87.2, published to the Python Package Index (PyPI) repository on March 27, 2026, concealed their credential harvesting capabilities within a .WAV file. Users are
Analysis Summary
# Threat Actor: TeamPCP
## Attribution & Identity
- **Name:** TeamPCP
- **Aliases:** N/A (Currently identified primarily by this moniker in recent reports)
- **Associations:** Known for conducting high-profile software supply chain attacks within the open-source ecosystem, specifically targeting Python developers and cloud-native security tools.
## Activity Summary
TeamPCP is a sophisticated actor focused on supply chain compromise. Most recently, on March 27, 2026, the actor successfully compromised the legitimate **telnyx** Python package on PyPI. They published two malicious versions (4.87.1 and 4.87.2) designed to steal sensitive data. This follows a pattern of previous successful compromises against popular developer-centric tools.
## Tactics, Techniques & Procedures
- **Supply Chain Compromise:** Pushing malicious updates to legitimate packages (T1195.002).
- **Steganography:** Concealing malicious logic and credential harvesting payloads within innocuous media files, specifically **.WAV** audio files, to evade signature-based detection.
- **Credential Harvesting:** Automated extraction of environment variables, keys, and sensitive data from the developer's environment.
- **Dependency Hijacking:** Leveraging the trust of popular existing projects to deliver malware to downstream users.
## Targeting
- **Sectors:** Technology, Software Development, Cloud Infrastructure, and Cyber Security.
- **Geography:** Global (Distribution via PyPI affects users worldwide).
- **Victims:**
- **Previous:** Trivy (vulnerability scanner), KICS (Infrastructure-as-Code security), and litellm.
- **Current:** Users and organizations utilizing the `telnyx` Python SDK.
## Tools & Infrastructure
- **Malware Families:** Custom credential harvesters embedded via steganography.
- **Infrastructure:**
- **Repository:** Python Package Index (PyPI)
- **Malicious Versions:** `telnyx` v4.87.1 and v4.87.2.
- **Exfiltration:** (C2 details not specified in the snippet, but generally involves HTTP/S exfiltration to actor-controlled endpoints).
## Implications
TeamPCP represents a significant threat to the DevOps pipeline and the "Shift Left" security movement. By targeting the very tools used for security scanning (Trivy, KICS), they undermine the integrity of the security audit process. Their move into SDKs like `telnyx` (used for telephony/communications APIs) suggests an interest in intercepting communication credentials or sensitive enterprise data.
## Mitigations
- **Version Pinning:** Avoid using wildcard versions or "latest" tags in requirements files; pin to known-good versions (e.g., `telnyx==4.87.0`).
- **Hash Verification:** Implement hash checking for all Python dependencies to ensure the integrity of the downloaded package.
- **Auditing:** Perform regular audits of dependency trees for unexpected updates or suspicious version jumps.
- **Environment Isolation:** Use secrets management tools (e.g., HashiCorp Vault, AWS Secrets Manager) rather than storing sensitive keys in environment variables that are easily harvested by malicious scripts.
- **Scanning:** Utilize Software Composition Analysis (SCA) tools capable of detecting anomalous behaviors or known malicious package versions.