Backdoored Telnyx PyPI package pushes malware hidden in WAV audio

Backdoored Telnyx PyPI package pushes malware hidden in WAV audio

By Bill Toulas

• March 27, 2026
• 05:13 PM

Hackers identified as TeamPCP have successfully compromised the Telnyx package hosted on the Python Package Index (PyPI), releasing malicious versions designed to deliver credential-stealing malware concealed within a WAV audio file.

This supply-chain attack was detected by modern application security firms, including Aikido, Socket, and Endor Labs, with attribution to TeamPCP based on a consistent exfiltration pattern and RSA key observed in prior incidents linked to this group.

TeamPCP has been implicated in several recent supply-chain breaches, including the compromise of Aqua Security's Trivy vulnerability scanner and the open-source Python library LiteLLM.

On the same day, the threat actor introduced backdoored versions of the Telnyx package, specifically 4.87.1 and 4.87.2. For users operating on Linux and macOS systems, the malicious variant deploys malware designed to capture SSH keys, credentials, cloud tokens, cryptocurrency wallets, environment variables, and various other sensitive information.

In the case of Windows systems, the malware ensures persistence by placing itself in the startup folder, executing automatically upon user login.

The Telnyx PyPI package serves as the official Python software development kit (SDK) that empowers developers to integrate Telnyx communication services—including VoIP, messaging (SMS, MMS, WhatsApp), fax, and IoT connectivity—into their applications. This package is notably popular, boasting over 740,000 monthly downloads on PyPI.

Security analysts suspect that the hackers gained access to the project by utilizing stolen credentials from the PyPI publishing account. Initially, TeamPCP released a flawed version of Telnyx, 4.87.1, at 03:51 UTC, containing a malicious payload that was non-functional. The group rectified this issue approximately one hour later, at 04:07 UTC, by releasing Telnyx version 4.87.2.

The harmful code is embedded in the ‘_telnyx/client.py’ file, which executes automatically upon import while ensuring the legitimate SDK classes operate as intended. On Linux and macOS, the malicious payload initiates a detached process that retrieves a second-stage payload disguised as a WAV audio file (ringtone.wav) from a remote command-and-control (C2) server.

Employing steganography techniques, the threat actors integrated the malicious code within the WAV file's data frames without distorting the audio quality. The code is extracted through a straightforward XOR-based decryption method and is run in memory to collect sensitive information from the compromised system.

In environments running Kubernetes, the malware is capable of enumerating cluster secrets and deploying privileged pods across nodes, thus striving to access the underlying host systems.

On Windows platforms, a different WAV file (hangup.wav) is utilized, leading to the extraction of an executable named msbuild.exe. This executable is subsequently positioned in the Startup folder to maintain persistence through system reboots, while a lock file is employed to restrict repeated executions within a 12-hour timeframe.

Researchers have underscored that Telnyx SDK version 4.87.0 represents the clean variant, containing no alterations and retaining the authentic Telnyx code. Developers are strongly recommended to revert to this release if they identify versions 4.87.1 and 4.87.2 within their systems.

Any system that has utilized the compromised package versions should be deemed fully compromised, given that the payload executes at runtime and may have already exfiltrated confidential information. In such cases, it is crucial to promptly rotate all relevant secrets.