TeamPCP compromised the telnyx PyPI package by publishing malicious versions 4.87.1 and 4.87.2 that use audio steganography in .WAV files to deliver credential-harvesting payloads across Windows, Linux, and macOS; users should immediately downgrade to 4.87.0 and follow mitigation steps. The campaign persists on Windows via a Startup-dropped msbuild.exe, exfiltrates collected data to 83.142.209[.]203:8080, and is linked to prior supply-chain compromises of Trivy, KICS, and litellm. #TeamPCP #telnyx
Keypoints
- TeamPCP published trojanized telnyx versions 4.87.1 and 4.87.2 to PyPI that harvest credentials via audio steganography.
- Malicious code is injected into telnyx/_client.py and executes when the package is imported.
- On Windows the attack drops and persists a decoded binary as msbuild.exe in the Startup folder.
- On Linux and macOS the payload runs in-memory, exfiltrates data as tpcp.tar.gz to 83.142.209[.]203:8080, then self-destructs.
- Mitigations include auditing for telnyx==4.87.1/4.87.2, downgrading to 4.87.0, rotating secrets, searching for msbuild.exe, and blocking the C2 domain.
Read More: https://thehackernews.com/2026/03/teampcp-pushes-malicious-telnyx.html