Full Report
Also, EU probes Snapchat, RedLine suspect extradited, AstraZeneca leak claim surfaces, and more infosec in brief The cybercrime crew linked to the Trivy supply-chain attack has struck again, this time pushing malicious Telnyx package versions to PyPI in an effort to plant credential-stealing malware on developers’ systems.…
Analysis Summary
# Incident Report: TeamPCP Supply-Chain Attack on Telnyx
## Executive Summary
The threat actor group "TeamPCP" targeted the PyPI (Python Package Index) ecosystem by poisoning the legitimate `telnyx` Python SDK with malicious code. The attack involved replacing official package versions with compromised ones designed to deliver multi-stage infostealers and establish persistence on developer systems. While Telnyx services and infrastructure remained unaffected, the compromise highlights a recurring supply-chain threat targeting Python developers.
## Incident Details
- **Discovery Date:** Approximately March 27, 2026 (Reported by Ox Security)
- **Incident Date:** March 2026
- **Affected Organization:** Telnyx (specifically the Python SDK users)
- **Sector:** Telecommunications / VoIP / AI Services
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026
- **Vector:** Supply-chain compromise via PyPI.
- **Details:** Attackers gained unauthorized access to the Telnyx distribution account on PyPI (or utilized a similar repository hijack method) to push malicious versions 4.87.1 and 4.87.2.
### Lateral Movement
- Not applicable to Telnyx internal infrastructure (per company statement). Movement was focused on the end-user/developer environment where the package was installed.
### Data Exfiltration/Impact
- **Impact:** Installation of a multi-stage infostealer and persistence mechanisms on developer machines and servers running the poisoned SDK. Potential theft of API keys, credentials, and environment variables.
### Detection & Response
- **Detection:** Identified by researchers at Ox Security and subsequently confirmed by Telnyx.
- **Response Actions:** Telnyx removed the malicious versions from PyPI and issued a public warning on X (formerly Twitter) advising users to rotate credentials.
## Attack Methodology
- **Initial Access:** Authorized repository access or account takeover to push malicious Python packages.
- **Persistence:** Malicious code included built-in persistence mechanisms to survive reboots/sessions.
- **Defense Evasion:** Used steganography-like techniques by downloading a malicious `.wav` file which was then decoded and executed, rather than embedding raw malicious code in the script.
- **Credential Access:** Automated collection of stored credentials and environmental secrets.
- **Collection:** Multi-stage infostealer logic targeted developer local environments.
- **Impact:** Unauthorized access to local developer systems; potential for downstream supply-chain attacks.
## Impact Assessment
- **Financial:** No direct loss reported, but potential remediation costs for 34,000+ weekly downloaders.
- **Data Breach:** Exposure of credentials, API keys, and internal source code for any developer who installed the affected versions.
- **Operational:** Developers forced to halt work, audit environments, and rotate all secrets.
- **Reputational:** Damage to Telnyx’s perceived security posture regarding their open-source tools.
## Indicators of Compromise
- **File Indicators:**
- `telnyx` Python package versions: `4.87.1`, `4.87.2`
- Suspicious `.wav` files downloaded during package installation/execution.
- **Behavioral Indicators:**
- Python processes making unexpected outbound network calls to non-Telnyx infrastructure.
- Unexpected decoding of audio files via Python interpreters.
## Response Actions
- **Containment:** Malicious package versions were pulled from the PyPI registry.
- **Eradication:** Telnyx released clean versions of the SDK.
- **Recovery:** Public advisory issued for users to treat environments as compromised, uninstall the affected versions, and rotate all exposed credentials/API keys.
## Lessons Learned
- **Dependency Vulnerability:** Developers often trust legitimate packages implicitly; minor version bumps can hide significant malicious changes.
- **Evasive Delivery:** The use of non-executable file formats (like `.wav`) to deliver payloads continues to be an effective method for bypassing basic static analysis tools.
- **Recurring Actor:** TeamPCP is a persistent threat targeting the PyPI ecosystem (previously linked to LiteLLM and Trivy compromises), indicating a specialized focus on developer tools.
## Recommendations
- **Version Pinning:** Pin requirements to known-good versions and use hashes (`--generate-hashes` in pip-compile) to prevent automatic updates to malicious releases.
- **Environment Isolation:** Use containers or virtual environments with limited permissions for development work to prevent infostealers from accessing the entire host system.
- **Secrets Management:** Use dedicated secrets managers rather than hardcoding API keys or storing them in plain text `.env` files.
- **Vulnerability Scanning:** Use tools like `pip-audit` or commercial supply-chain security platforms to detect known malicious versions of dependencies.