Telnyx
telnyx is a maliciously trojanized version of the official Telnyx Python SDK distributed via PyPI as versions 4.87.1 and 4.87.2 on March 27, 2026, as part of a broader software supply-chain campaign attributed to TeamPCP. The malicious code was injected into telnyx/_client.py and executed at import time when applications called import telnyx, affecting Windows, Linux, and macOS systems. On Windows, the malware fetched hangup.wav from 83[.]142[.]209[.]203:8080, extracted a base64-encoded and XOR-obfuscated executable from WAV frame data, and wrote msbuild.exe to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ for persistence; a .lock file enforced a 12-hour re-drop cooldown. On Linux and macOS, it used a hardcoded base64-encoded second-stage Python script that fetched ringtone.wav from the same server, decoded a third-stage collector from WAV frame data using the same XOR technique, and executed it via sys.executable piped to stdin. The malware used WAV audio steganography to disguise payload delivery as valid audio files. Collected data was encrypted with AES-256-CBC, with the session key wrapped using an RSA-4096 public key with OAEP, and exfiltrated via HTTP POST using the header X-Filename: tpcp.tar.gz. The campaign context indicates TeamPCP likely obtained the Telnyx PyPI publishing token during an earlier compromise chain involving Trivy and LiteLLM CI/CD secrets. High-confidence indicators mentioned in the content include the malicious versions 4.87.1 and 4.87.2, C2 server 83[.]142[.]209[.]203:8080, Windows persistence artifact msbuild.exe in the Startup folder, the associated .lock file, and package hashes 7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9 for 4.87.1 and cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3 for 4.87.2.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Using it, the attacker published telnyx 4.87.1 and 4.87.2 to PyPI on March 27... The standout technique in this phase is the use of audio steganography for payload delivery.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Credential Access
1 technique
Credential Access
Datadog Security Labs published a detailed technical trace of the full LiteLLM and Telnyx PyPI compromise chain, tracing it back to the March 19 Trivy origin and recommending that any host that installed compromised versions be treated as a "full-credential exposure event."
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A compromised Python package whose malicious versions execute at import time. On Windows it downloads a WAV-embedded payload, decodes and drops a persistent executable in Startup. On Linux/macOS it decodes and executes a staged collector script, encrypts collected data, and exfiltrates it to attacker infrastructure.
A malicious PyPI package update that executed on import, fetched WAV files containing hidden payloads, dropped a Windows persistence binary as msbuild.exe, and on Linux/macOS performed smash-and-grab credential theft with encrypted exfiltration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.