Modern application security firms **Aikido**, **Socket**, and **Endor Labs** detected the supply-chain attack and attributed it to TeamPCP, citing similar exfiltration patterns and RSA keys observed in previous incidents. TeamPCP has been linked to several recent supply-chain attacks, including those targeting **Aqua Security**'s **Trivy** vulnerability scanner and the open-source Python library **LiteLLM**, as well as wiper attacks aimed at Iranian systems. ## Malicious Package Details Earlier today, the threat actor published backdoored versions **4.87.1** and **4.87.2** of the Telnyx package. These malicious versions deploy malware on Linux and macOS systems that steals SSH keys, credentials, cloud tokens, cryptocurrency wallets, environment variables, and other sensitive data. On Windows systems, the malware is designed for persistence, placing itself in the startup folder to run on every login. The **Telnyx PyPI** package is the official Python Software Development Kit (SDK) that enables developers to integrate Telnyx communication services, such as VoIP, messaging (SMS, MMS, WhatsApp), fax, and IoT connectivity, into their applications. The package boasts over 740,000 downloads per month on PyPI, highlighting its widespread use. ## Compromise Method Security researchers suspect that the attackers gained access by using stolen credentials for the publishing account on the PyPI registry. Initially, TeamPCP released Telnyx version 4.87.1 at 03:51 UTC, but the payload was non-functional. They corrected this error roughly an hour later, at 04:07 UTC, with the release of Telnyx version 4.87.2. The malicious code resides within the `telnyx/_client.py` file, which executes automatically upon import, while still allowing the legitimate SDK classes to function as intended. ## Technical Analysis On Linux and macOS systems, the payload initiates a detached process that downloads a second-stage payload disguised as a WAV audio file (`ringtone.wav`) from a remote command-and-control (C2) server.  By employing steganography, the attackers embedded malicious code within the file's data frames without altering the audio's properties. The payload is extracted using a simple XOR-based decryption routine and executes in memory to harvest sensitive data from infected hosts. If **Kubernetes** is detected on the compromised machine, the malware enumerates cluster secrets and deploys privileged pods across nodes, attempting to gain access to the underlying host systems. On Windows systems, a different WAV file (`hangup.wav`) is downloaded, which extracts an executable named `msbuild.exe`. This executable is placed in the Startup folder to ensure persistence across system reboots. A lock file is used to limit repeated execution within 12-hour windows. ## Mitigation Steps Researchers advise that Telnyx SDK version 4.87.0 is the clean variant and contains legitimate Telnyx code without any modifications. Developers are strongly encouraged to revert to this release if they find Telnyx versions 4.87.1 or 4.87.2 in their environments. Any system that imported the malicious package versions should be considered fully compromised, as the payload executes at runtime and may have already exfiltrated sensitive data. It is highly recommended to rotate all secrets as soon as possible.