Backdoored Telnyx PyPI package pushes malware hidden in WAV audio
Recorded: March 28, 2026, 1 a.m.
| Original | Summarized |
Backdoored Telnyx PyPI package pushes malware hidden in WAV audio News Featured Popular LiteLLM PyPI package backdoored to steal credentials, auth tokens HackerOne discloses employee data breach after Navia hack Firefox now has a free built-in VPN with 50GB monthly data limit Infinite Campus warns of breach after ShinyHunters claims data theft Backdoored Telnyx PyPI package pushes malware hidden in WAV audio Fake VS Code alerts on GitHub spread malware to developers Agentic GRC: Teams Get the Tech. The Mindset Shift Is What's Missing. European Commission investigating breach after Amazon cloud account hack Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsSecurityBackdoored Telnyx PyPI package pushes malware hidden in WAV audio Backdoored Telnyx PyPI package pushes malware hidden in WAV audio By Bill Toulas March 27, 2026 TeamPCP hackers compromised the Telnyx package on the Python Package Index today, uploading malicious versions that deliver credential-stealing malware hidden inside a WAV file. Function handling the steganographic fileSource: Endor Labs Automated Pentesting Covers Only 1 of 6 Surfaces. Related Articles: Backdoor Bill Toulas Previous Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Popular Stories Popular LiteLLM PyPI package backdoored to steal credentials, auth tokens Kali Linux 2026.1 released with 8 new tools, new BackTrack mode Firefox now has a free built-in VPN with 50GB monthly data limit Sponsor Posts Is your program ready for agentic GRC? See what shift enterprise teams need to make. Are your AI accounts being sold on the dark web? Check for free. Overdue a password health-check? Audit your Active Directory for free AI is a data-breach time bomb: Read the new report Synthetic Identities, Proxies & Real Identities for Sale, is yours next? Upcoming Webinar Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
The Telnyx PyPI package, a Software Development Kit (SDK) facilitating integration with Telnyx communication services, experienced a significant supply-chain attack orchestrated by the TeamPCP hacking group. This incident highlights the vulnerabilities inherent in relying on third-party packages and the potential for sophisticated attackers to inject malicious code. The attack, observed by Aikido, Socket, and Endor Labs, began with the publication of a compromised version of Telnyx 4.87.1, subsequently corrected with the malicious 4.87.2 release. The core of the attack involved inserting a backdoor within the ‘telnyx/_client.py’ file, triggering at import, to allow legitimate SDK functionality while simultaneously enabling data exfiltration. Specifically, on Linux and macOS systems, the malware leverages steganography to embed malicious code within a WAV audio file (ringtone.wav), extracted via an XOR-based decryption routine. This allows the threat actor to harvest sensitive information such as SSH keys, credentials, cloud tokens, and cryptocurrency wallet data. On Windows, the malware deploys a different WAV file (hangup.wav) which in turn extracts and executes an msbuild.exe file, establishing persistence through a startup folder and applying a 12-hour execution lockout to reduce the attack’s repeatability. Furthermore, for Kubernetes environments, the malware extends its reach by enumerating cluster secrets and deploying privileged pods across nodes, attempting to access underlying host systems. The initial publication of Telnyx 4.87.1, containing a non-functional payload, was quickly followed by the actor’s correction of the malicious code, demonstrating a typical pattern in supply-chain attacks. The incident underscores the importance of robust vulnerability scanning and continuous monitoring of package dependencies. TeamPCP has a documented history of targeting Iranian systems with wiper attacks and supply-chain compromises. Security researchers strongly advise developers to revert to the clean Telnyx SDK version 4.87.0 if they have inadvertently incorporated the compromised 4.87.1 or 4.87.2 releases. Given the runtime execution of the payload and potential for data exfiltration, any system utilizing these packages should be immediately treated as fully compromised, necessitating a prompt rotation of all secrets. The attack reinforces the critical need for developers to maintain vigilance across their software supply chains and to implement rigorous security practices when integrating third-party components. |