Summary

The threat actor TeamPCP has compromised the telnyx Python package by releasing two malicious versions on the PyPI repository. These versions were designed to steal sensitive data by hiding credential harvesting capabilities within a .WAV file.

Key Points

• TeamPCP is responsible for the supply chain attack on the telnyx Python package.
• Two malicious versions, 4.87.1 and 4.87.2, were published on March 27, 2026.
• The attack involved hiding credential harvesting capabilities within a .WAV file.
• The compromised package was available on the Python Package Index (PyPI).
• Previous targets of TeamPCP include Trivy, KICS, and litellm.

Analysis

This incident highlights the ongoing risks associated with supply chain attacks, particularly in open-source ecosystems like PyPI. By embedding malicious code within a widely-used package, attackers can potentially access sensitive data from numerous users. The use of a .WAV file to conceal the malicious payload demonstrates the evolving sophistication of such attacks.

Conclusion

IT professionals should immediately verify the integrity of the telnyx package versions in use and consider implementing stricter package validation processes. Regular monitoring of package repositories for suspicious activity is also recommended to mitigate the risk of similar attacks.