A new software supply chain attack has been uncovered involving TeamPCP, the same threat group previously linked to compromises of Trivy, KICS, and litellm. This time, the attackers targeted the widely used Telnyx Python package by uploading malicious versions to the Python Package Index (PyPI).
Malicious Versions Disguised as Legitimate Updates
Security researchers revealed that versions 4.87.1 and 4.87.2, released on March 27, 2026, were embedded with hidden credential-stealing functionality. Developers who installed these versions are strongly advised to downgrade immediately to version 4.87.0.
The PyPI project has since been quarantined after multiple cybersecurity firms confirmed the compromise. The injected code resides in the file telnyx/_client.py, ensuring execution as soon as the package is imported into a Python environment.
Advanced Attack Technique Using Audio Steganography
One of the most unusual aspects of this campaign is the use of audio files to conceal malicious payloads. Instead of delivering malware in a detectable format, attackers embedded it within .WAV files.
On Windows systems, the malware downloads a file named hangup.wav from a command-and-control server. It extracts a hidden executable and places it in the Startup folder as msbuild.exe, enabling automatic execution after every system reboot.
For Linux and macOS systems, a different audio file named ringtone.wav is retrieved. This file contains encoded scripts that extract sensitive data from the infected system.
Multi-Stage Execution and Data Exfiltration
The attack follows a structured multi-stage process:
- Delivery of payload via audio steganography
- Execution of a credential-harvesting script directly in memory
- Secure exfiltration of collected data to a remote server
The malware gathers sensitive information such as environment variables, credentials, and configuration files. The stolen data is compressed into a file named tpcp.tar.gz and transmitted to a remote server at:
83.142.209[.]203:8080
Researchers emphasize that the malware operates within temporary directories and deletes traces after execution, making forensic analysis extremely difficult.
Cross-Platform Behavior Differences
The attack strategy varies depending on the operating system:
- Windows: Establishes persistence through Startup folder execution
- Linux/macOS: Performs rapid data collection and removes itself without leaving traces
This dual approach allows attackers to maintain long-term access on Windows systems while quickly extracting valuable data from Unix-based environments.
Possible Entry Point for the Compromise
It remains unclear how TeamPCP gained access to the Telnyx package publishing credentials. However, experts believe the breach may be linked to a previous compromise involving the litellm package.
During that earlier attack, sensitive information such as environment variables, .env files, and shell histories were harvested. If any system had both litellm installed and access to Telnyx credentials, attackers could have captured the PyPI token.
Broader Supply Chain Threat Expands
This incident is part of a larger campaign where trusted open-source packages are being weaponized instead of relying on fake or typo-based packages.
TeamPCP has also reportedly collaborated with other cybercriminal groups, including LAPSUS$ and a ransomware group known as Vect, to scale their operations and maximize the impact of stolen credentials.
Experts warn that attackers are increasingly targeting tools used in CI/CD pipelines, such as security scanners and development frameworks, because they typically have elevated access to sensitive systems.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
