The threat actor TeamPCP, previously linked to supply chain attacks on Python packages like Trivy, KICS, and litellm, has now targeted the Telnyx Python package, publishing two malicious versions designed to exfiltrate sensitive data.
Versions 4.87.1 and 4.87.2, uploaded to the Python Package Index (PyPI) on March 27, 2026, embedded a credential-stealing payload inside .WAV audio files. The PyPI project has been quarantined, and users are advised to downgrade immediately to version 4.87.0.
Multi-Platform Malware Delivery
Analysis from multiple cybersecurity firms, including Socket, Ossprey Security, and Endor Labs, revealed that the malware operates differently depending on the operating system:
- Windows: Downloads
hangup.wav from a command-and-control (C2) server, extracts a payload, and drops it into the Startup folder as msbuild.exe, allowing persistent access.
- Linux/macOS: Fetches
ringtone.wav to extract and run a temporary, in-memory credential harvester, which exfiltrates collected data via HTTP POST to 83.142.209[.]203:8080 before self-deleting, leaving minimal forensic traces.
The attack chain employs audio steganography to conceal the payload, evading traditional EDR and network defenses. Unlike prior campaigns, the Linux/macOS variant is designed for rapid data exfiltration rather than persistence.
Supply Chain Implications
Experts believe TeamPCP likely obtained the PyPI publishing token through previous breaches, such as the litellm compromise, which harvested credentials from CI/CD pipelines, environment variables, and .env files. This underscores the growing risk posed by supply chain attacks targeting trusted open-source packages with elevated access.
“The strategic focus is clear: targeting development tools that inherently have access to credentials, secrets, and CI/CD environments amplifies the attacker’s reach,” noted Snyk researchers.
Mitigation Recommendations
Developers are urged to:
- Audit Python environments for telnyx==4.87.1 or telnyx==4.87.2 and replace them with a clean version.
- Rotate all secrets and API keys, assuming potential compromise.
- Check for the presence of
msbuild.exe in Windows Startup folders.
- Block the C2 domain
83.142.209[.]203.
TeamPCP has also demonstrated collaboration with other cybercriminal groups, including LAPSUS$ and a ransomware group called Vect, indicating a growing trend where supply chain attacks feed into broader extortion and ransomware operations.
Industry Takeaways
Security analysts highlight the shift in attacker strategy: instead of phishing or exploiting vulnerabilities directly, attackers are now weaponizing open-source tools in CI/CD pipelines, creating high-value entry points for follow-on attacks.
“This campaign is a stark reminder that any tool with broad pipeline access must be treated as a potential threat vector,” said Socket. “Attackers are increasingly leveraging trusted software to gain persistent or high-speed access to sensitive systems.”
