Telnyx Targeted in Growing TeamPCP Supply Chain Attack

The popular Telnyx Python SDK is the latest victim of TeamPCP’s weeks-long supply chain campaign targeting the broad open source software ecosystem. The campaign started on March 19 with Aqua Security’s open source vulnerability scanner Trivy and continued with infections across NPM, Docker Hub, Kubernetes, OpenVSX, and the LiteLLM PyPI package. On Friday, two malicious versions of Telnyx, namely 4.87.1 and 4.87.2, were uploaded to the PyPI registry, targeting Windows, macOS, and Linux systems. Telnyx is a cloud-based voice solution enabling traditional phone calls directly on respond.io. The Python library has over 670,000 monthly downloads. The rogue Telnyx PyPI packages contained a WAV file that would drop an executable in the startup folder on Windows systems or would execute a hardcoded Python script to decode a third-stage collector script to exfiltrate the machine’s session key on macOS and Linux systems. “The WAV file is a valid audio file. It passes MIME-type checks. But the audio frame data contains a base64-encoded payload. Decode the frames, take the first 8 bytes as the XOR key, XOR the rest, and you have your executable or Python script,” cybersecurity firm Aikido explains. All the exfiltrated data is encrypted using asymmetric encryption (RSA), and the encoded public key is the same that was used in previous TeamPCP attacks, such as the LiteLLM PyPI package compromise, JFrog notes. “It is unknown at this point how the library was compromised, but it is likely a direct result of each of TeamPCP’s recent attacks on the open source ecosystems,” JFrog says. Telnyx users who installed either of the malicious versions of the SDK should consider their machines compromised and rotate all credentials, API keys, SSH keys, and other secrets. According to GitGuardian, the blast radius from TeamPCP’s campaign extends well beyond the publicly discussed compromised packages. The cybersecurity firm identified over 470 repositories that run a malicious version of the Trivy GitHub Action, and more than 1,900 packages that included LiteLLM as a dependency, thus potentially propagating the initial infection. The numbers, GitGuardian warns, represent lower bounds, as the analysis is based only on publicly accessible data. When private repositories and transitive dependencies are taken into consideration, the actual scope of the supply chain campaign extends much further. Related: Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure Related: Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs Related: Coruna iOS Exploit Kit Likely an Update to Operation Triangulation Related: AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest Link WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire OpenAI Launches Bug Bounty Program for Abuse and Safety Risks TP-Link Patches High-Severity Router Vulnerabilities Coruna iOS Exploit Kit Likely an Update to Operation Triangulation Hightower Holding Data Breach Impacts 130,000 BIND Updates Patch High-Severity Vulnerabilities Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure Cisco Patches Multiple Vulnerabilities in IOS Software Onit Security Raises $11 Million for Exposure Management Platform Latest News Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit European Commission Reports Cyber Intrusion and Data Theft Hacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained in Warfare Exploitation of Fresh Citrix NetScaler Vulnerability Begins FBI Confirms Kash Patel Email Hack as US Offers $10M Reward for Hackers F5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the Wild Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs Pro-Iranian Hacking Group Claims Credit for Hack of FBI Director Kash Patel’s Personal Account Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Moderna has promoted Farzan Karimi to Deputy Chief Information Security Officer. Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne. Token has appointed Katy Nelson as Chief Revenue Officer. More People On The Move Expert Insights Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat As Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Email