TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Hacker in WAV Files

TeamPCP, the threat actor behind the supply chain attacks targeting Trivy, KICS, and Litelm, has now compromised the telnyx Python package by exploiting two malicious versions to steal sensitive data.

The two versions, 4.87.1 and 4.87.2, published in the Python Package Index (PyPI) repository on March 27, 2026, hid their harvesting capabilities inside a .WAV file. Users are recommended to downgrade to version 4.87.0 immediately. The PyPI project is currently isolated.

Various reports from Aikido, Endor Labs, Ossprey Security, SafeDep, Socket, and StepSecurity indicate that malicious code is embedded in “telnyx/_client.py,” causing it to be executed when the package is imported into a Python application. The malware is designed to target Windows, Linux, and macOS systems.

“Our analysis reveals a three-stage runtime attack chain on Linux/macOS that includes delivery using audio steganography, data-friendly data memory extraction, and encrypted extraction,” said Socket. “The entire series is designed to run within a self-destructing temporary directory and leave almost zero forensic artifacts on the host.”

On Windows, the malware downloads a file called “hangup.wav” from the command and control server (C2) and extracts executable audio data that is then dropped into the Startup folder as “msbuild.exe.” This allows it to run during system startup and run automatically every time a user logs into the system.

In case the vulnerable host is running on Linux or macOS, it downloads a separate .WAV file (“ringtone.wav”) from the same server to extract the third-party collector script and execute. The authentication harvester is designed to capture a wide range of sensitive data and extract the data in the form of “tpcp.tar.gz” via HTTP POST request to “83.142.209[.]203:8080.

“The dominant technique in this sample – and the reason for the title of the post – is the use of audio steganography to deliver the final load,” said Osprey Security. “Instead of hosting a raw executable or base64 blob in C2 (both flagged for network testing and EDR), the attacker wraps the payload inside a .WAV file.”

It is not yet known how the package’s PYPI_TOKEN was obtained by TeamPCP, but it may have been due to a previous harvest validation operation.

“We believe that the most likely vector is the litelm itself,” said Endor Labs researchers Kiran Raj and Rachana Misal. “TeamPCP’s harvester swept environment variables, .env files, and shell history from all systems that installed litelm. If any developer or CI pipeline had both a litelm installation and access to a telnyx PyPI token, that token was already in TeamPCP’s hands.”

What is notable about the attack is the lack of persistence in Linux and macOS and the use of a temporary directory to perform malicious actions and delete all its contents when everything is finished.

“The division of strategies is clear. Windows finds persistence: a binary in the Startup folder that survives on restart, providing a threat actor with long-term, repeated access,” explained Socket. “Linux/macOS gets smash-and-grab: a single, quick data-harvesting operation that collects everything of value and quickly extracts it, then disappears.”

This development comes just days after a threat actor distributed trojanized versions of the popular litelm Python package to extract cloud credentials, CI/CD secrets, and domain keys controlled by it.

The supply chain incident also shows a new-found maturity, where a threat actor regularly infects legitimate, trusted packages with large user bases to spread malware to downstream users and expand the explosion area, rather than directly publishing malicious typosquats in open source repositories.

“Target selection throughout this campaign is focused on tools with high access to automated pipelines: a container scanner (Trivy), an infrastructure scanning tool (KICS), and an AI routing model library (literm),” said Snyk. “Each of these tools requires extensive read access to the programs it runs on (certificates, settings, local variables) by design.”

To mitigate the threat, developers are advised to take the following actions –

• Audit Python environments and requirements.txt files telnyx==4.87.1 or telnyx==4.87.2. If found, replace them with a clean version.
• Consider compromising and rotating all secrets.
• Look for a file named “msbuild.exe” in the Windows Startup folder.
• Block C2 and the filtering domain (“83.142.209[.]203”).

The compromise is part of a broader, ongoing campaign by TeamPCP that includes multiple environments, with the threat actor announcing collaboration with other cybercrime groups such as LAPSUS$ and a growing ransomware group called Vect to carry out extortion and ransom operations.

This also reflects a shift in which ransomware gangs, which have historically focused on early access methods such as phishing and exploiting security flaws, are now weaponizing supply chain attacks targeting open source infrastructure as an entry point for subsequent attacks.

“This puts a spotlight on anything in the CI/CD space that isn’t closed,” Socket said. “Security scanners, IDE extensions, build tools, and operating systems are given broad access because they’re expected to need it. If attackers are targeting the tools themselves, anything running in the pipeline should be considered a potential entry point.”