TeamPCP, the risk actor behind the availability chain assault concentrating on Trivy, KICS, and litellm, has now compromised the telnyx Python bundle by pushing two malicious variations to steal delicate knowledge.
The 2 variations, 4.87.1 and 4.87.2, printed to the Python Package deal Index (PyPI) repository on March 27, 2026, hid their credential harvesting capabilities inside a .WAV file. Customers are advisable to downgrade to model 4.87.0 instantly. The PyPI venture is at the moment quarantined.
Numerous studies from Aikido, Endor Labs, Ossprey Safety, SafeDep, Socket, and StepSecurity point out the malicious code is injected into “telnyx/_client.py,” inflicting it to be invoked when the bundle is imported right into a Python software. The malware is designed to focus on Home windows, Linux, and macOS techniques.
“Our analysis reveals a three-stage runtime attack chain on Linux/macOS consisting of delivery via audio steganography, in-memory execution of a data harvester, and encrypted exfiltration,” Socket stated. “The entire chain is designed to operate within a self-destructing temporary directory and leave near-zero forensic artifacts on the host.”
On Home windows, the malware downloads a file named “hangup.wav” from a command-and-control (C2) server and extracts from the audio knowledge an executable that is then dropped into the Startup folder as “msbuild.exe.” This permits it to persist throughout system reboots and routinely run each time a consumer logs in to the system.
In case the compromised host runs on Linux or macOS, it fetches a distinct .WAV file (“ringtone.wav”) from the identical server to extract a third-stage collector script and run. The credential harvester is designed to seize a variety of delicate knowledge and exfiltrate the info within the type of “tpcp.tar.gz” through an HTTP POST request to “83.142.209[.]203:8080.”
“The standout technique in this sample – and the reason for the post title – is the use of audio steganography to deliver the final payload,” Ossprey Safety stated. “Rather than hosting a raw executable or a base64 blob on the C2 (both of which are trivially flagged by network inspection and EDR), the attacker wraps the payload inside a .WAV file.”
It is at the moment not identified how the bundle’s PYPI_TOKEN was obtained by TeamPCP, however it’s doubtless that it was via a previous credential harvesting operation.
“We believe the most likely vector is the litellm compromise itself,” Endor Labs researchers Kiran Raj and Rachana Misal stated. “TeamPCP’s harvester swept environment variables, .env files, and shell histories from every system that imported litellm. If any developer or CI pipeline had both litellm installed and access to the telnyx PyPI token, that token was already in TeamPCP’s hands.”
What’s notable in regards to the assault is the absence of a persistence mechanism in Linux and macOS and the usage of a short lived listing to conduct the malicious actions and recursively delete all its contents as soon as all the pieces is full.
“The strategic split is clear. Windows gets persistence: a binary in the Startup folder that survives reboots, providing the threat actor with long-term, repeatable access,” Socket defined. “Linux/macOS gets smash-and-grab: a single, high-speed data harvesting operation that collects everything of value and exfiltrates it immediately, then vanishes.”
The event comes just a few days after the risk actor distributed trojanized variations of the favored litellm Python bundle to exfiltrate cloud credentials, CI/CD secrets and techniques, and keys to a site underneath its management.
The provision chain incident additionally displays a new-found maturation, the place the risk actor has persistently contaminated respectable, trusted packages with huge consumer bases to distribute malware to downstream customers and widen blast radius, quite than straight publishing malicious typosquats to open-source bundle repositories.
“The target selection across this campaign focuses on tools with elevated access to automated pipelines: a container scanner (Trivy), an infrastructure scanning tool (KICS), and an AI model routing library (litellm),” Snyk stated. “Each of these tools requires broad read access to the systems it operates on (credentials, configs, environment variables) by design.”
To mitigate the risk, builders are suggested to carry out the next actions –
- Audit Python environments and necessities.txt recordsdata for telnyx==4.87.1 or telnyx==4.87.2. If discovered, change them with a clear model.
- Assume compromise and rotate all secrets and techniques.
- Search for a file named “msbuild.exe” within the Home windows Startup folder.
- Block the C2 and exfiltration area (“83.142.209[.]203”).
The compromise is a part of a broader, ongoing marketing campaign undertaken by TeamPCP spanning a number of ecosystems, with the risk actor saying collaborations with different cybercriminal teams like LAPSUS$ and an rising ransomware group referred to as Vect to conduct extortion and ransomware operations.
This additionally indicators a shift the place ransomware gangs, which have traditionally targeted on preliminary entry strategies like phishing and exploitation of safety flaws, at the moment are weaponizing provide chain assaults concentrating on the open supply infrastructure as an entry level for follow-on assaults.
“This puts a spotlight on anything in CI/CD environments that isn’t locked down,” Socket stated. “Security scanners, IDE extensions, build tooling, and execution environments are granted broad access because they’re expected to need it. When attackers are targeting the tools themselves, anything running in the pipeline has to be treated as a potential entry point.”
