Telnyx SDK Backdoored on PyPI TeamPCP Hides Credential Stealer in WAV Audio Files

• .What: TeamPCP backdoored the Telnyx Python SDK on PyPI with credential-stealing malware hidden inside WAV audio files - the ninth day and third PyPI target of a campaign spanning five package ecosystems.
• .Who: Telnyx ($112M revenue, 304 employees, customers include Cisco, Philips, Red Cross). Downstream: any developer, CI/CD pipeline, or production system importing the telnyx Python package.
• .How: PyPI publishing credentials stolen via credential chaining - Trivy compromise harvested LiteLLM co-founder's credentials, LiteLLM compromise harvested Telnyx PyPI token from a developer or CI pipeline that had both packages installed.
• .Data: SSH keys, AWS/GCP/Azure credentials, Kubernetes secrets and service account tokens, Docker/npm/Git/Vault authentication, database credentials, cryptocurrency wallets, environment variables, shell history.
• .Actor: TeamPCP (DeadCatx3, PCPcat, PersyPCP, ShellForce) - hybrid cybercrime group, first observed November 2025. Attribution confidence: HIGH.
• .Impact: 730,000 monthly package downloads exposed during a 6-hour window. Credential theft from any system that imported the malicious versions. Campaign-wide: 1,000+ compromised SaaS environments (Mandiant), TeamPCP claims 300 GB exfiltrated and 500,000+ infected systems (unverified).

At 03:51 UTC on March 27, 2026, TeamPCP published Telnyx version 4.87.1 to PyPI. The package contained 74 lines of malicious code injected into telnyx/_client.py - the SDK's core client module, which executes automatically when any application imports the telnyx package.

No GitHub release or tag was created for the version. The legitimate Telnyx repository (team-telnyx/telnyx-python) showed no compromise - all commits came from the stainless-app[bot] automation account.

The malicious version was uploaded using twine/6.2.0 on CPython 3.14.3, while Telnyx's CI pipeline uses rye publish. This tool mismatch is forensic proof that the attacker uploaded the wheels manually using a stolen PyPI token.

Version 4.87.1 shipped with a bug. The Windows attack function was defined as setup() (lowercase) on line 7761, but the module-scope call on line 7823 invoked Setup() (uppercase). Python is case-sensitive.

The result was a NameError at module scope that prevented both the Windows and Linux/macOS code paths from executing - the calls were sequential, and the error from Setup() aborted execution before FetchAudio() could run.

Both function calls were wrapped in bare except blocks, so the error was silently swallowed and the package appeared to work normally. No credentials were stolen. The attacker's first shot was a blank.

Sixteen minutes later, at 04:07 UTC, TeamPCP published version 4.87.2 with exactly one change: Setup() was corrected to setup(). Both attack paths were now functional.

The speed of the correction - 16 minutes between versions - indicates the attacker was actively monitoring payload execution and testing the published package in real time.

At 06:51 UTC, security researcher kiran-sec opened GitHub Issue #235 on the telnyx-python repository, documenting the injected code and warning the community. By 10:13 UTC, PyPI's security team had quarantined both versions.

The total exposure window from first malicious publication to quarantine was 6 hours and 22 minutes. The window for the functional payload (version 4.87.2) was 6 hours and 6 minutes.

The Telnyx compromise is the third proven link in a credential chain that defines the TeamPCP campaign. On February 28, 2026, TeamPCP exploited a pull_request_target workflow misconfiguration in Aqua Security's Trivy repository to steal a Personal Access Token.

That PAT unlocked GitHub Actions, Docker Hub, and release infrastructure. On March 19, TeamPCP used the retained credentials to poison 76 of 77 trivy-action version tags with credential-stealing malware.

Among the credentials stolen: the PyPI token belonging to LiteLLM co-founder Krish Dholakia.

On March 24, TeamPCP used those stolen PyPI credentials to publish malicious LiteLLM versions 1.82.7 and 1.82.8. env files, and shell histories from every system that imported the package.

If any developer or CI/CD pipeline had both LiteLLM installed and access to the Telnyx PyPI token, that token was already in TeamPCP's hands.

Three days later, the Telnyx package was compromised. The three-day gap between the LiteLLM compromise and the Telnyx publication is consistent with the time required to sift through a large volume of stolen credentials and identify high-value targets.

This is credential chaining as an operational model. Every compromise yields credentials for the next one.

The Telnyx compromise introduced WAV audio file steganography to the campaign. The attacker constructs a file with a legitimate WAV header that passes standard file-type and MIME-type validation. The audio frame data contains a base64-encoded, XOR-encrypted payload.

The first 8 bytes of the decoded frame data serve as the XOR decryption key. The remaining bytes are the encrypted payload. wav file extension is treated as benign by URL-based filtering. Network security tools scanning for executable patterns see what appears to be audio data.

The payload is encrypted, preventing signature-based detection.

JFrog identified a significant weakness: the malicious code does not cryptographically verify the downloaded WAV file before executing its contents.

The download occurs over unencrypted HTTP from 83.142.209[.]203:8080. Any man-in-the-middle attacker could inject arbitrary code - turning TeamPCP's credential stealer into a delivery vehicle for a different payload entirely.

On Windows, setup() creates a hidden lockfile in the Startup folder with a 12-hour timeout, retrieves hxxp://83.142.209[.]203:8080/hangup.wav, extracts the XOR-decrypted executable from the WAV frame data, drops it as msbuild.exe in the Startup folder (masquerading as Microsoft Build Engine), and launches it with CREATE_NO_WINDOW for invisible execution.

On Linux and macOS, FetchAudio() spawns a detached subprocess that decodes the embedded credential harvester, downloads hxxp://83.142.209[.]203:8080/ringtone.wav, extracts the third-stage collector, harvests all targeted credentials, encrypts with AES-256-CBC and RSA-4096 OAEP key wrapping, packages as tpcp.tar.gz, and exfiltrates via HTTP POST with header X-Filename: tpcp.tar.gz.

The self-destructing temporary directory leaves near-zero forensic artifacts.

When Kubernetes service account tokens are detected, the harvester deploys privileged pods to every node in kube-system namespace, mounting host root filesystem at /host with hostPID, hostNetwork, and privileged: True.

Two container variants: kamikaze (destructive, targeting Iranian-identified systems) and provisioner (persistent backdoor).

Three operational changes between LiteLLM (Day 6) and Telnyx (Day 9) indicate active adaptation to defender responses. C2 shifted from domain (models.litellm[.]cloud) to raw IP (83.142.209[.]203) - fewer DNS indicators.

Payload delivery shifted from direct base64 embedding to WAV steganography. Persistence artifact names rotated from sysmon to audiomon. The core pipeline - AES-256-CBC encryption, RSA-4096 key wrapping, tpcp.tar.gz naming, identical RSA public key - remains constant.

TeamPCP is changing the wrapper while keeping the engine.

TeamPCP entered a monetization phase concurrent with the Telnyx compromise. Three developments: First, a formal alliance with the Vect ransomware group and Breached forum.

TeamPCP provides initial access, Vect supplies encryption tooling, BreachForums operates the affiliate base. " Personal affiliate keys were announced for distribution to approximately 300,000 registered forum members.

No confirmed Vect deployments have been observed as of March 29.

Second, LAPSUS$ claimed a 3 GB AstraZeneca breach including internal code repositories and cloud infrastructure configurations. AstraZeneca has issued no confirmation.

Third, SANS ISC documented a 48-hour operational pause - the first since March 19 - suggesting a strategic shift from expansion to monetization rather than campaign conclusion.

Network: 83.142.209[.]203:8080 (C2), hxxp://83.142.209[.]203:8080/hangup.wav (Windows), hxxp://83.142.209[.]203:8080/ringtone.wav (Linux/macOS). Related: 83.142.209[.]11, 46.151.182[.]203.

SHA-256: telnyx 4.87.1: 7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9. telnyx 4.87.2: cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3.

Filesystem: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe (Windows). ~/.config/audiomon/audiomon.py and ~/.config/systemd/user/audiomon.service (Linux). HTTP: X-Filename: tpcp.tar.gz.

Kubernetes: pod names node-setup-*, kamikaze, provisioner; DaemonSets host-provisioner-iran, host-provisioner-std.

• .CCPA/CPRA: If stolen credentials enabled downstream access to California residents' personal information. $7,500 per intentional violation. Organizations using Telnyx for SMS-based 2FA are directly exposed if credential theft enabled interception of verification messages.

• .HIPAA: Healthcare organizations using Telnyx for patient communications face Security Rule violations if compromised API keys enabled access to protected health information. Fines up to $2.1M per violation category per year.

• .FCC / Telecommunications Act: Telnyx is an internationally licensed telecommunications carrier. Compromised API credentials enabling unauthorized access to telecommunications services may trigger FCC reporting obligations and CPNI breach notification requirements under 47 CFR 64.2011.

• .GDPR (Articles 5, 32, 33, 34): EU organizations face Article 32 scrutiny on supply chain integrity controls. 72-hour notification required. Fines up to EUR 20M or 4% annual global turnover.

• .Saudi PDPL: Fines up to SAR 5M. NCA Essential Cybersecurity Controls mandate supply chain risk management.

• .UAE PDPL: Fines up to AED 10M. TDRA incident reporting obligations apply.

• .EU Cyber Resilience Act: Vulnerability and incident reporting obligations take effect September 11, 2026.

The following gaps exist in the public record for this incident:

1. The exact number of systems that downloaded and imported telnyx versions 4.87.1 or 4.87.2 during the 6-hour exposure window has not been disclosed by PyPI or Telnyx. The theoretical maximum based on daily download rates is approximately 1,200.

2. The specific mechanism by which the Telnyx PyPI token was exposed to the LiteLLM harvester has not been detailed. Whether the token was in an environment variable, .env file, shell history, or CI/CD secret remains unconfirmed.

3. Whether version 4.87.1 was truly non-functional on all platforms is subject to conflicting analysis.

SafeDep's assessment that the NameError aborted execution before FetchAudio() could run is the most technically rigorous, but no public analysis has tested it in a controlled environment.

4. TeamPCP's claimed alliance with Vect ransomware and the distribution of approximately 300,000 affiliate keys has been announced but not operationally confirmed. No Vect deployments linked to TeamPCP credentials have been observed as of March 29.

5. The hosting provider, geographic location, and current operational status of the C2 server at 83.142.209[.]203 have not been publicly documented.

This was not a vulnerability in the Telnyx SDK. There was no flaw in Telnyx's code, no misconfiguration in their infrastructure, no failure in their security practices.

This was the third link in a credential chain that began 27 days earlier with a misconfigured pull_request_target workflow in a completely unrelated repository.

One stolen PAT in Aqua Security's Trivy yielded GitHub Actions credentials, which yielded PyPI tokens for LiteLLM, which yielded a PyPI token for Telnyx.

At no point in this chain did a second authentication factor, a short-lived credential, or a provenance verification mechanism interrupt the propagation.

PyPI trusted publishers eliminate the credential that made this attack possible. Trusted publishers use OpenID Connect to bind package publishing to a specific GitHub Actions workflow in a specific repository.

There is no token to store, no secret to rotate, and nothing to steal from an environment variable. An attacker with a stolen static token cannot satisfy the OIDC claims because the token does not originate from the correct workflow.

Every PyPI package maintainer should migrate to trusted publishers immediately.

The WAV steganography technique bypasses security controls designed for a different era of payload delivery. wav extensions, MIME-type inspection that trusts WAV headers, and network security tools that skip audio file analysis all failed to flag the payload download.

The defense is not WAV-specific detection rules - it is egress controls that block all unexpected outbound connections from CI/CD pipelines and production environments.

A Python SDK for a telecommunications API has no legitimate reason to download files from 83.142.209[.]203:8080.

For organizations that imported telnyx versions 4.87.1 or 4.87.2, the remediation posture is total environment compromise. Assume every credential accessible to the Python process has been exfiltrated.

Map every secret that was reachable - environment variables, mounted service account tokens, SSH keys, cloud credentials, Docker configs, shell history. Rotate all of them. For Kubernetes environments, audit pod creation logs for node-setup-* naming patterns.

Check for audiomon.py and audiomon.service persistence artifacts on Linux hosts. Check for msbuild.exe in the Windows Startup folder. Pin the package to version 4.87.0 or later clean version by cryptographic hash, not version number.

The credential chain will not stop at Telnyx unless defenders break it. Every credential harvested during this compromise is a potential starting point for the fourth link.

Organizations that use multiple open-source packages in their CI/CD pipelines should audit whether any pipeline had both a compromised package and a publishing credential for another package in the same execution context.

If so, that credential should be considered compromised and rotated immediately.

Datadog Security Labs, SafeDep, JFrog, Aikido Security, The Hacker News, BleepingComputer, Help Net Security, Infosecurity Magazine, CyberSecurityNews, ReversingLabs, SANS Internet Storm Center (Updates 002 and 003), SANS Institute, Cybernews, Telnyx Security Notice, GitHub Issue #235, pypistats.org, Palo Alto Networks, GitGuardian, Endor Labs, Socket.dev, ZERO|TOLERANCE prior coverage (Trivy Supply Chain CVE-2026-33634, LiteLLM TeamPCP PyPI Supply Chain)