Malicious versions of the Telnyx Python SDK on PyPI delivered credential-stealing malware via a multi-stage supply chain attack.

Socket

Socket Research Team uncovered a supply chain attack on the official Telnyx Python SDK on PyPI. Threat actor group TeamPCP uploaded malicious versions 4.87.1 and 4.87.2 containing credential-stealing malware injected into the core client module. The attack uses a three-stage chain: audio steganography to deliver a second-stage harvester hidden in WAV files, fileless in-memory execution of the harvester, and hybrid AES-256-CBC + RSA-4096 encrypted exfiltration to a C2 server. On Windows, a persistent binary disguised as msbuild.exe is dropped in the Startup folder; on Linux/macOS, a one-shot ephemeral harvester runs and self-destructs. The malware bypasses postinstall hook detection by triggering at module import time. PyPI has quarantined the malicious versions; users should downgrade to 4.87.0 and rotate all credentials immediately.

TeamPCP Compromises Telnyx Python SDK to Deliver Credential-...