TeamPCP Weaponizes Audio Steganography in Malicious Telnyx PyPI Packages

TL;DR

The threat actor TeamPCP has compromised the legitimate telnyx Python package on PyPI, releasing versions 4.87.1 and 4.87.2. These versions use audio steganography—hiding malware inside .WAV files—to harvest credentials and exfiltrate data from Windows, Linux, and macOS systems. Users should downgrade to 4.87.0 immediately.

Overview of the Attack

The threat actor known as TeamPCP, previously linked to supply chain attacks against Trivy, KICS, and litellm, has expanded its campaign to include the telnyx Python package. On March 27, 2026, two malicious versions (4.87.1 and 4.87.2) were pushed to the Python Package Index (PyPI).

Unlike common "typosquatting" attacks where actors register similar-sounding names, this is a direct compromise of a trusted, legitimate package. The PyPI project has been quarantined, but researchers from Socket, Endor Labs, JFrog, and several other security firms warn that the malware is invoked the moment the package is imported into an application.

Sophisticated Delivery via Audio Steganography

The most notable feature of this campaign is the use of audio steganography. Instead of hosting a suspicious binary or a massive Base64-encoded string that would likely be flagged by Endpoint Detection and Response (EDR) tools, the attackers hide the payload within standard audio files.

The malicious code is injected into telnyx/_client.py. Once executed, it initiates a different attack chain depending on the victim's operating system:

Windows: The malware downloads hangup.wav from a command-and-control (C2) server. It extracts an executable from the audio data and drops it into the Startup folder as msbuild.exe. This ensures the malware runs every time the user logs in.
Linux/macOS: The system fetches ringtone.wav, which contains a third-stage collector script. This is described as a "smash-and-grab" operation—a high-speed data harvesting mission that occurs in a temporary directory and deletes itself immediately after exfiltration to leave almost no forensic trace.

Data Harvesting and Exfiltration

The credential harvester is designed to sweep for sensitive information, including:

Environment variables
.env files
Shell histories
Cloud credentials and CI/CD secrets

The stolen data is compressed into a file named tpcp.tar.gz and exfiltrated via an HTTP POST request to the IP address 83.142.209[.]203:8080.

Origin of the Compromise

While the exact method used to obtain the telnyx PYPI_TOKEN is unconfirmed, researchers from Endor Labs believe it likely originated from the previous litellm compromise. If a developer or a CI/CD pipeline used both litellm and had access to the telnyx token, TeamPCP’s previous harvester would have captured that token from environment variables or shell histories.

Broader Campaign Context

This attack marks a shift in TeamPCP's tactics toward targeting high-value tools used in automated pipelines. By infecting container scanners (Trivy) and infrastructure tools (KICS), they gain elevated access to systems that naturally require broad read permissions.

TeamPCP has also recently announced collaborations with the LAPSUS$ group and a new ransomware entity called Vect, indicating that these supply chain compromises may be used as entry points for future extortion and ransomware operations.

Mitigation and Recommendations

Security teams and developers are advised to take the following steps:

Check Versions: Audit requirements.txt and Python environments. If telnyx version 4.87.1 or 4.87.2 is present, downgrade to 4.87.0 immediately.
Rotate Secrets: Assume all credentials, API keys, and secrets accessible by the compromised environment have been leaked and rotate them.
Search for Persistence: On Windows systems, check the Startup folder for a file named msbuild.exe.
Network Blocking: Block communication with the known C2 and exfiltration IP: 83.142.209[.]203.
Review CI/CD Security: Ensure that CI/CD pipelines are locked down and treat any tool running in the pipeline as a potential entry point for attackers.