Telnyx PyPI Package Compromised in Ongoing TeamPCP Supply Chain Attack Campaign
Key Takeaways
- ▸Telnyx PyPI package compromised with malware hidden in WAV files using steganography and XOR obfuscation
- ▸Part of coordinated TeamPCP campaign spanning multiple ecosystems (npm, PyPI, GitHub Actions) over two weeks
- ▸Attack chain leverages stolen credentials from unpinned CI/CD tools to compromise high-impact packages
Summary
The popular Telnyx Python SDK on PyPI has been compromised as part of an escalating multi-week supply chain attack campaign by the threat actor TeamPCP. Malicious versions of the package were uploaded on March 27, featuring sophisticated malware that uses WAV file steganography to deliver payloads. The attack follows a consistent pattern: stealing credentials from trusted security tools, then using those credentials to inject backdoors into packages with broad downstream reach.
The Telnyx compromise is the latest in a series targeting major tools and services. Previous targets include Aqua Security's Trivy vulnerability scanner (March 19), 46+ npm packages via CanisterWorm (March 20), Checkmarx GitHub Actions (March 23), and LiteLLM's PyPI package (March 24), which serves 95 million monthly downloads. The campaign demonstrates sophisticated evasion techniques, including XOR obfuscation, AES-256-CBC encryption, and RSA-4096 key wrapping for exfiltrated data.
The malware executes at import time with no disabling mechanisms, making it difficult to prevent execution. On Windows, it downloads and decodes an executable hidden in audio frames, installing it as msbuild.exe in the Startup folder for persistence. On Linux/Mac, it fetches a complete Python script embedded in WAV files, exfiltrating system data encrypted with attacker-controlled RSA keys.
- Malware executes at import time with sophisticated persistence and encryption mechanisms to evade detection
- LiteLLM compromise particularly concerning as it manages credentials for OpenAI, Anthropic, AWS, and GCP services
