TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

This article covers a TeamPCP supply chain attack on the telnyx Python package, hiding malware inside .WAV files via audio steganography.

• •Malicious versions 4.87.1 and 4.87.2 were published to PyPI on March 27, 2026, with malware injected into telnyx/_client.py
• •On Windows, a persistent msbuild.exe is dropped into the Startup folder extracted from hangup.wav
• •On Linux/macOS, ringtone.wav delivers a credential harvester that self-deletes after exfiltrating data as tpcp.tar.gz
• •The telnyx PyPI token was likely stolen through a prior litellm compromise that swept env vars and shell histories
• •TeamPCP is collaborating with LAPSUS$ and ransomware group Vect, signaling supply chain attacks as ransomware entry points

This summary was automatically generated by AI based on the original article and may not be fully accurate.