Popular Telnyx Python Package Compromised on PyPI with Steganographic Malware
Key Takeaways
- ▸Two malicious telnyx package versions (4.87.1 and 4.87.2) published to PyPI on March 27, 2026 contain injected code that executes automatically on import with no user interaction required
- ▸Attack uses novel WAV file steganography to hide malware payloads and employs AES-256-CBC + RSA-4096 encryption for credential exfiltration, with identical operational patterns to the litellm compromise
- ▸The compromise affected PyPI publishing credentials, not the source repository, indicating a targeted attack on the package maintainer's authentication
Summary
Two versions of the telnyx Python package (4.87.1 and 4.87.2) published to PyPI on March 27, 2026 have been found to contain malicious code injected into the telnyx/_client.py file. The compromised package, which averages over 1 million downloads monthly, executes automatically on import and downloads second-stage malware hidden inside WAV audio files using steganography. The attack exhibits identical patterns to the recent litellm PyPI compromise, with high confidence attribution to the threat actor group TeamPCP.
The malware behaves differently based on the target operating system: on Windows systems, it establishes persistence by dropping an executable masquerading as msbuild.exe in the Startup folder, while on Linux and macOS systems it harvests credentials, encrypts them using AES-256-CBC encryption with a hardcoded RSA-4096 public key, and exfiltrates the data via HTTP POST requests. The attack required compromise of PyPI publishing credentials rather than the source repository itself, as the clean GitHub repository shows no signs of compromise with all recent activity originating from the legitimate Stainless SDK bot.
Indicators of compromise include the specific package hashes, command-and-control server at 83.142.209.203:8080, and payload URLs disguised as audio files (ringtone.wav and hangup.wav). Users of telnyx versions 4.87.1 and 4.87.2 are advised to immediately update to version 4.87.0 or earlier and conduct security audits on affected systems.
- The high-impact supply chain attack targets a package with 1 million+ monthly downloads, enabling potential compromise of thousands of downstream applications and services
Editorial Opinion
This incident underscores the critical vulnerability of Python's package ecosystem to credential compromise attacks. While the use of steganography to hide malware demonstrates increasing sophistication from supply chain attackers, the fact that malicious versions were published without corresponding repository tags should have triggered automated verification in secure CI/CD pipelines. The Python community urgently needs mandatory cryptographic verification of package signatures and stricter controls over PyPI publishing credentials, potentially including hardware security keys or time-limited tokens.
