PyPI supply‑chain hack lesson

On March 27, 2026 at 03:51:28 UTC two unauthorized telnyx releases — 4.87.1 and 4.87.2 — were published to PyPI and both were removed and quarantined by 10:13 UTC the same day. (telnyx.com (telnyx.com)) The malicious code fetched a live second-stage payload concealed inside.wav files (ringtone.wav for Linux/macOS and hangup.wav for Windows) and used audio steganography to hide the executable bits. (safedep.io (safedep.io)) On Windows the payload dropped a persistent executable as %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe, while on Linux/macOS the backdoor harvested environment variables,.env files and shell histories before encrypting and exfiltrating them. (safedep.io (safedep.io)) Multiple analysis teams attribute the publish to threat actor “TeamPCP,” citing reuse of the same RSA public key and exfiltration headers previously seen in the LiteLLM compromise and naming this event as part of a broader multi‑week campaign. (endorlabs.com (endorlabs.com)) Telnyx’s SDK sees large-scale use — SafeDep estimated the package at roughly 1,000,000+ downloads per month (~30,000/day) — and the injected code executed automatically on import, meaning unpinned transitive dependencies could have pulled the backdoor into CI runners and production images. (safedep.io (safedep.io)) Telnyx advised immediate downgrade to telnyx==4.87.0, rotation of all secrets in affected environments (API keys, DB credentials, cloud tokens), and auditing for outbound connections to attacker infrastructure at 83.142.209.203:8080. (telnyx.com (telnyx.com)) Researchers flagged that 4.87.1/4.87.2 had no corresponding GitHub release tags — evidence the PyPI publishing credentials were used directly rather than changes coming from upstream source — and at least one research team reported the malicious uploads to maintainers within about three hours of discovery. (github.com (github.com), endorlabs.com (endorlabs.com))