The telnyx Python SDK on PyPI was compromised by the threat actor group TeamPCP as part of an ongoing multi-week supply chain attack campaign. Two malicious versions (4.87.1 and 4.87.2) were published at 03:51 UTC on March 27. The payload in telnyx/_client.py executes at import time, using WAV steganography to deliver OS-specific malware: a Windows dropper that persists via the Startup folder, and a Linux/Mac infostealer that exfiltrates secrets encrypted with AES-256-CBC and RSA-4096. This follows earlier compromises of Trivy, 46+ npm packages, Checkmarx GitHub Actions, and LiteLLM. The campaign exploits unpinned CI/CD dependencies to steal credentials and propagate. Immediate remediation: pin to telnyx==4.87.0, rotate all secrets, and check for the msbuild.exe persistence artifact on Windows.
Sort: