Skip to content

TeamPCP strikes again: Backdoored Telnyx PyPI package delivers malware

Chimera readability score 0.5684 out of 100, reading level.

TeamPCP continues is supply chain compromise rampage, with telnyx on PyPI being the latest maliciously modified package.
What happened?
Telnyx is a widely used software development kit (SDK) for the Telnyx AI Voice Agent service.
According to Endor Labs researchers, attackers backdoored the legitimate SDK code and published versions 4.87.1 and 4.87.2 of the package on the Python Package Index (PyPI), one shortly after the other.
The malicious code wasn’t functional in the first version due to a typo, so a second version had to be published.
The malicious releases were published on 27 March 2026, between 03:51 UTC and 04:07 UTC on 27 March 2026, “without corresponding GitHub releases or tags, indicating the PyPI publishing credentials were compromised,” Endor Labs’ Kiran Raj explained.
“We believe the most likely vector is the litellm compromise itself,” he added.
“TeamPCP’s harvester swept environment variables, .env files, and shell histories from every system that imported litellm. If any developer or CI pipeline had both litellm installed and access to the telnyx PyPI token, that token was already in TeamPCP’s hands. The three-day gap fits the time needed to sift through stolen credentials and pick the next target.”
The telnyx PyPI project has since been quarantined.
A new malware delivery mechanism
Between the LiteLLM and the Telnyx compromises, the group changed some things.
For one, the malicious package delivered the encoded malicious payload in the audio frame data of a valid WAV file.
Secondly, the malicious packages were smaller than in previous attacks, as the real payload was fetched at runtime from the C2 (which is a “raw” IP address instead of an impersonated domain such as models.litellm.cloud in the LiteLLM attack).
When a malicious telnyx package is imported, it executes immediately and retrieves and drops a persistent executable on Windows systems or an information stealer on Linux/macOS systems.
The latter is designed to exfiltrate a wide range of sensitive data across systems: SSH keys and configurations; cloud credentials; authentication data from developer tools like Docker, npm, Git, and Vault; database credentials; environment configuration files (to extract embedded secrets like API keys and tokens); shell and database histories; and cryptocurrency wallet data.
“If a Kubernetes service account token exists, the malware goes after the entire cluster,” Endor Labs researchers noted.
“[It] deploys a privileged pod to every node in kube-system, each mounting the host root filesystem at /host with hostPID, hostNetwork, and privileged: True. The pods chroot into the host to install the persistence implant directly on the node.”
Finally, the stolen sensitive data is encrypted and exfiltrated.
TeamPCP signatures
Analyses of the incident have revealed undisputable links to TeamPCP, who compromised Trivy, LiteLLM, and CheckMarx’s IDE extensions and GitHub Actions in the past week or so.
Endor Labs says its attribution is based on multiple overlapping indicators: the use of an RSA-4096 public key previously observed in the LiteLLM PyPI compromise, the use of the same AES-256-CBC + RSA OAEP encryption scheme for data exfiltration, and the presence of specific archive files and headers during data exfiltration that are a TeamPCP signature.
The researcher shared indicators of compromise and advised on how to check systems nad logs for them. “Treat any match as a full-environment compromise — rotate all credentials,” they advised.
SafeDep and Aikido researchers’ write-ups are also a good source of advice.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

Facts Only

TeamPCP compromised the Telnyx PyPI package, a software development kit for the Telnyx AI Voice Agent service.
Malicious versions 4.87.1 and 4.87.2 of the package were published on PyPI on March 27, 2026, between 03:51 UTC and 04:07 UTC.
The first version contained a typo that prevented the malware from functioning, leading to the release of a second version.
The malicious releases lacked corresponding GitHub releases or tags, suggesting the PyPI publishing credentials were compromised.
The malware fetches its payload at runtime from a command-and-control server, delivering persistent executables on Windows or information stealers on Linux/macOS systems.
The stolen data includes SSH keys, cloud credentials, developer tool authentication data, database credentials, and cryptocurrency wallet information.
The Telnyx PyPI project has been quarantined following the discovery of the compromise.
Endor Labs researchers attribute the attack to TeamPCP, citing overlapping indicators such as the use of an RSA-4096 public key and specific encryption schemes.
TeamPCP has previously compromised LiteLLM, Trivy, and CheckMarx’s IDE extensions.
Researchers have advised rotating all credentials if indicators of compromise are detected.

Executive Summary

TeamPCP, a threat actor known for supply chain attacks, compromised the Telnyx PyPI package, a widely used SDK for the Telnyx AI Voice Agent service. On March 27, 2026, attackers published backdoored versions 4.87.1 and 4.87.2 of the package, with the first version containing a typo that rendered the malware non-functional, necessitating a second release. The malicious packages were uploaded without corresponding GitHub releases or tags, indicating the PyPI publishing credentials were compromised. Researchers from Endor Labs attribute the attack to TeamPCP, linking it to previous compromises of LiteLLM, Trivy, and CheckMarx’s IDE extensions. The malware delivered via the Telnyx package fetches its payload at runtime from a command-and-control server, deploying persistent executables on Windows or information stealers on Linux/macOS systems. The stolen data includes SSH keys, cloud credentials, developer tool authentication data, and cryptocurrency wallet information. The Telnyx PyPI project has since been quarantined, and researchers have advised rotating all credentials if indicators of compromise are detected.

Full Take

This incident underscores the escalating sophistication of supply chain attacks, where threat actors exploit trusted software distribution channels to infiltrate systems. TeamPCP’s modus operandi—compromising PyPI packages and exfiltrating sensitive data—highlights a disturbing trend in cyber warfare: the weaponization of open-source ecosystems. The attack’s reliance on runtime payload fetching and the use of audio files to conceal malware demonstrate a high degree of technical adaptability. The absence of GitHub releases or tags for the malicious versions suggests a deliberate attempt to evade detection, while the rapid iteration between versions indicates a well-resourced and agile adversary.
The broader implications are alarming. If Kubernetes service account tokens are present, the malware escalates to compromise entire clusters, illustrating how supply chain attacks can cascade into systemic breaches. The theft of credentials from developer tools and cloud services could enable further lateral movement, creating a ripple effect of compromises. This pattern echoes historical cyber espionage campaigns, where initial access is leveraged to extract high-value assets over time.
Key questions emerge: How can open-source ecosystems better defend against credential theft and supply chain compromises? What role should automated monitoring and anomaly detection play in mitigating such risks? And how might organizations balance the convenience of third-party packages with the necessity of rigorous security vetting?
Patterns detected: none