TL;DR: On March 27, 2026, attackers pushed malicious versions of the Telnyx Python SDK to PyPI, hiding credential-stealing malware inside WAV audio files. The package gets 742,000+ downloads per month. If you use Telnyx, downgrade to version 4.87.0 immediately and rotate all secrets. This is part of a larger campaign by threat actor TeamPCP that already compromised Trivy, KICS, and LiteLLM.
What happened
At 03:51 UTC on March 27, 2026, someone pushed two unauthorized versions of the Telnyx Python SDK to PyPI: 4.87.1 and 4.87.2. Both contained malware injected into the telnyx/_client.py file. The moment any application imported the package, the malicious code executed.
PyPI quarantined both versions by 10:13 UTC the same day, about six hours of exposure. But for a package averaging 30,000 downloads per day, that's potentially thousands of compromised systems.
The attack came from TeamPCP, a threat group that's been tearing through developer tooling for the past two weeks. They hit Trivy (a container security scanner) on March 19, then KICS and LiteLLM in the following days. Same playbook: compromise a trusted tool, harvest credentials, use those credentials to compromise the next target.
Hiding malware in audio files
Here's where it gets clever. Most security tools flag suspicious executables or base64-encoded blobs. TeamPCP worked around that by hiding their payload inside WAV audio files.
Once the malicious package runs, it downloads a WAV file from the attacker's server: hangup.wav for Windows systems, ringtone.wav for Linux and macOS. Looks like a normal audio file to network inspection tools. But embedded in the audio frames is encrypted malware: 8 bytes of XOR-encrypted payload followed by an 8-byte decryption key.
The malware extracts and decrypts this hidden payload, then executes the second stage. Steganography (hiding data inside other files) isn't new. But using it for malware delivery through audio files is an escalation that many EDR tools aren't configured to catch.
What it does on your system
The attack differs by operating system:
Windows: The payload drops as msbuild.exe in your Windows Startup folder. Every reboot reactivates it. Persistent access to your machine for as long as that file exists.
Linux/macOS: No persistence mechanism. Instead, the malware runs a rapid harvest operation: grabs everything it needs, exfiltrates, and self-destructs. Minimal forensic traces left behind.
What does it steal? Environment variables, .env files, shell histories, cloud credentials, and CI/CD secrets. Everything gets packaged as tpcp.tar.gz and sent via HTTP POST to 83.142.209.203:8080.
If you're a developer, your .env file probably contains database passwords, API keys, and cloud credentials. Your shell history contains commands with tokens and secrets you typed directly. This malware grabs all of it.
Part of a larger campaign
TeamPCP isn't targeting packages randomly. They're chaining compromises:
- March 19: Compromised Trivy, the container security scanner. Pushed malicious version 0.69.4 using stolen credentials. Force-pushed GitHub Actions tags.
- March 20-22: Spread a self-propagating npm worm across 45+ packages. Automated credential theft and package republishing.
- March 23: Hit Checkmarx KICS and OpenVSX extensions using the same C2 infrastructure.
- March 24-27: Backdoored LiteLLM (versions 1.82.7 and 1.82.8) and Telnyx (versions 4.87.1 and 4.87.2) on PyPI.
The pattern is clear: compromise a security or developer tool, steal the credentials it exposes, use those credentials to poison the next target. The attackers are building access to development pipelines across the industry.
Datadog Security Labs reported that TeamPCP has announced partnerships with ransomware groups including LAPSUS$ and an emerging group called Vect. Stolen credentials today could become ransomware tomorrow.
How to check if you're affected
Run these checks immediately:
- Check your Python environments:
pip show telnyx. If it shows version 4.87.1 or 4.87.2, you're compromised. - Windows users: Check your Startup folder for
msbuild.exe. The real msbuild lives inC:\Windows\Microsoft.NET\, not your Startup folder. - Check network logs: Look for connections to
83.142.209.203:8080. - Review CI/CD pipelines: Any pipeline that installed Telnyx during the exposure window should be considered compromised.
What to do now
Immediate actions:
- Downgrade to Telnyx version 4.87.0:
pip install telnyx==4.87.0 - Block the C2 IP address
83.142.209.203at your firewall - Rotate all secrets in affected environments: every API key, database password, and cloud credential
- On Windows, delete any
msbuild.exein Startup folders
Longer term:
- Pin package versions in production. Don't auto-upgrade dependencies without review.
- Use dependency lockfiles and verify hashes.
- Monitor for Trivy, KICS, and LiteLLM compromises if you use those tools. They're part of the same campaign.
The supply chain problem isn't going away
This attack worked because developers trust package repositories. You run pip install and assume you're getting legitimate software. PyPI responded within six hours (faster than many registries) but the damage was already done.
The SolarWinds attack in 2020 showed nation-states could compromise software supply chains. Now criminal groups are using the same techniques. TeamPCP isn't sophisticated in terms of novel exploits. They're sophisticated in targeting. Hit the tools developers trust, harvest their credentials, repeat.
Until package registries implement mandatory code signing and verification, this will keep happening. PyPI is working on trusted publishers and attestation, but adoption is slow. In the meantime, assume any package update could be malicious until proven otherwise.