Security & Infrastructure Tools
Backdoored Telnyx PyPI package pushes malware hidden in WAV audio
TeamPCP compromised the Telnyx PyPI package, uploading malicious 4.87.1 and 4.87.2 releases that drop credential‑stealing malware hidden in a WAV file. The backdoored SDK triggers on import, downloads an obfuscated WAV payload via C2, extracts code with XOR decryption, and harvests SSH keys, cloud tokens, crypto wallets, environment variables, and more. On Windows it drops msbuild.exe into the Startup folder; on Linux/macOS it spawns a detached process that pulls the steganographic file. Kubernetes hosts are also targeted to enumerate secrets and deploy privileged pods. The legitimate Telnyx SDK is available in version 4.87.0; any system importing the compromised versions should be treated as fully compromised and have all secrets rotated immediately.
Backdoored Telnyx PyPI package pushes malware hidden in WAV audio
Security researchers have uncovered a supply-chain compromise involving the Telnyx Python SDK published on the Python Package Index. On March 27, 2026, attackers tied to a group known as TeamPCP released backdoored builds of the Telnyx package, specifically versions 4.87.1 and 4.87.2. This campaign builds on a pattern of exploits previously attributed to the same actor, including other supply-chain incidents and wiper deployments, and is linked to the actor through a consistent exfiltration approach and RSA key usage seen in earlier campaigns.
The first malicious release, Telnyx 4.87.1, appeared at 03:51 UTC and carried a payload that did not function as intended. About an hour later, at 04:07 UTC, the actor published Telnyx 4.87.2 to fix that issue. The Telnyx PyPI package is the official SDK intended to help developers integrate Telnyx services—such as VoIP, messaging (SMS, MMS, WhatsApp), fax, and IoT connectivity—into applications. The project is widely used, reportedly receiving hundreds of thousands of downloads each month on PyPI, making it an attractive target for supply-chain manipulation.
In the malicious releases, the harmful code resides in telnyx/_client.py. The backdoor activates upon import, while the legitimate SDK components remain usable. On Linux and macOS, the payload spawns a detached process that downloads a second-stage payload disguised as a WAV audio file (ringtone.wav) from a remote command-and-control (C2) server. To avoid detection, the threat actor employs steganography, embedding malicious data within the audio file’s data frames without visibly altering the audio’s playback. A straightforward XOR-based decryption routine extracts the hidden payload, which then executes in memory to harvest sensitive data from the infected host.
If a Kubernetes cluster is present on the machine, the malware enumerates cluster secrets and deploys privileged pods across nodes, seeking broader access to the host environment. On Windows, the infection path differs: a second WAV file (hangup.wav) is downloaded to extract an executable named msbuild.exe. This executable is placed in the Startup folder to ensure persistence across reboots, with a lock file mechanism limiting repeated execution within a 12-hour window.
Security researchers emphasize that Telnyx version 4.87.0 is the clean variant, containing the legitimate Telnyx code with no alterations. The compromised 4.87.1 and 4.87.2 releases were the vehicles for the payload, and developers are cautioned to identify and isolate these versions in their environments. Any system that imported the malicious package versions should be treated as fully compromised, since the payload executes at runtime and may have already exfiltrated sensitive data. In such cases, it is implied that secrets should be rotated and credentials reviewed, though the source material presents this as a factual consequence rather than prescriptive guidance.
The backdoor’s operators leveraged stolen publishing credentials for the PyPI registry to push the tainted builds. Monitoring and attribution point to TeamPCP, based on the recurrence of the same exfiltration pattern and RSA key usage observed in prior actions attributed to the group. The broader notes from researchers connect this activity to multiple recent campaigns associated with TeamPCP, including supply-chain hits on other open-source projects and wiper deployments targeting Iranian systems.
The Telnyx package’s popularity—combined with the stealthy use of a legitimate-appearing import-time payload and a concealed second-stage downloader—highlights the evolving risk associated with third-party software dependencies. The incident underscores the importance of vigilant package hygiene and the need to verify publisher credentials and release integrity for dependencies that ship with critical communication capabilities.
In summary, between the backdoor’s stealthy injection into a widely-used SDK, the dual-platform delivery mechanisms (Linux/macOS with the WAV-based steganographic payload and Windows with a startup-persisting msbuild.exe), and the targeted cluster-environment behavior, this campaign demonstrates a sophisticated approach to data exfiltration and persistence. The 4.87.0 release stands out as the clean variant, while the 4.87.1 and 4.87.2 releases exemplify how legitimate tools can be weaponized to reach a broad developer audience.
