Malicious Telnyx PyPI with audio steganography
Researchers flagged malicious Telnyx Python SDK uploads that hid credential‑stealing code via WAV audio steganography, demonstrating a novel package exfiltration vector against production environments. The incident highlights that package integrity checks and runtime package behavior monitoring now need to be first‑class observability signals. (thehackernews.com)
Two malicious releases of the official telnyx Python package — versions 4.87.1 and 4.87.2 — were published to PyPI on March 27, 2026 and were quarantined by PyPI after external researchers raised the alarm. (thehackernews.com) Injected module-level code executed automatically when telnyx was imported and triggered a runtime fetch of a secondary payload packaged inside.wav files hosted on attacker infrastructure. (safedep.io) The attacker-controlled C2 observed in telemetry resolved to 83.142.209.203:8080 and served two payload URLs — /ringtone.wav for Unix platforms and /hangup.wav for Windows — which the backdoor decoded and executed. (safedep.io) Telnyx==4.87.1 carried SHA256 7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9 and 4.87.2 carried SHA256 cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3, both listed in vendor analyses and IoC feeds. (safedep.io) On Windows the compromise attempted persistence by dropping an executable at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe, while the Unix/macOS code collected credentials, encrypted them with AES-256‑CBC + RSA‑4096 and exfiltrated via HTTP POST. (safedep.io) Security researchers and vendors attribute the upload to the TeamPCP campaign that previously hit Trivy and litellm in March 2026, and notes show the malicious releases had no corresponding GitHub tags while the prior clean release v4.87.0 was published on March 26, indicating the PyPI maintainer account was likely abused. (aikido.dev(github.com))
