TeamPCP Telnyx PyPI Attack: WAV Steganography Supply Chain [Security]

Incident Summary

Package: telnyx (Python SDK) — 742,000 total downloads on PyPI
Malicious versions: 4.87.1 and 4.87.2 — published March 27, 03:51–10:13 UTC (6.5 hours)
Technique: credential-stealing payload hidden in WAV audio frame data (steganography)
Stolen: SSH keys, cloud tokens (AWS/GCP/Azure), crypto wallets, env vars, credentials
Attribution: TeamPCP — same group behind Trivy, KICS, and LiteLLM PyPI attacks
Action: Downgrade to telnyx==4.87.0 immediately; rotate all secrets on affected systems

TeamPCP: A Persistent PyPI Threat Actor

TeamPCP is a financially motivated threat actor that has built a methodical campaign targeting the Python ecosystem's most widely-used packages. Prior to the telnyx compromise, TeamPCP successfully injected malicious code into the Trivy container vulnerability scanner, KICS (Keeping Infrastructure as Code Secure), and LiteLLM — all three being tools predominantly used in DevSecOps and AI application development workflows.

The group's targeting pattern reveals a deliberate strategy: they prioritize packages that are installed in CI/CD pipelines, developer workstations, and AI application backends — environments that are rich in cloud credentials, API keys, SSH keys for deployment infrastructure, and cryptocurrency wallets belonging to developer teams. The telnyx SDK is used by teams building voice, SMS, and real-time communications features — and those teams' Python environments typically contain the full breadth of credentials that TeamPCP is after.

The WAV Steganography Technique

What distinguishes this attack from conventional PyPI poisoning is the use of audio steganography to conceal the malicious payload. Traditional supply chain attacks embed Base64-encoded or obfuscated strings directly in Python source files — a pattern that static analysis tools and PyPI's own scanning infrastructure are well-calibrated to detect. TeamPCP evaded these controls by encoding the payload in the audio frame data of a valid WAV file bundled with the package.

How WAV Steganography Works at the Technical Level

A WAV file consists of a RIFF header followed by audio data chunks. The audio data in a standard PCM WAV file is a sequence of integer samples representing waveform amplitude. Steganography exploits the fact that modifying the least significant bits (LSBs) of audio samples is inaudible to human listeners — a change from sample value 1024 to 1025 produces no perceptible audio difference, but encodes one bit of hidden data.

TeamPCP's payload was encoded into the LSBs of the WAV file's audio samples. When the telnyx package was imported, the malicious loader code in telnyx/_client.py read the WAV file, extracted the hidden bytes from the audio samples, decoded them, and executed the resulting payload in memory — leaving no intermediate file on disk to trigger file-system-based detection.

Why This Bypasses Standard Detection

Static analysis tools inspect Python source files for suspicious patterns — the WAV file appears as a harmless audio asset
PyPI's automated scanning checks for obfuscated strings and known malicious patterns in .py files — WAV binary data is not scanned this way
File reputation systems see a valid, structurally correct WAV file with legitimate audio content — no hash match against known malware
Memory-only execution means no executable file is written to disk, bypassing file-system antivirus hooks

Payload Behavior: What Was Stolen

Once decoded and executed, the payload behaved differently depending on the operating system. On Linux and macOS — the predominant environments for Python development and CI/CD — it performed an immediate reconnaissance sweep followed by exfiltration:

SSH keys: reads all files in ~/.ssh/ including private keys, authorized_keys, and known_hosts
Cloud provider credentials: AWS credentials in ~/.aws/credentials and ~/.aws/config; GCP service account JSON files; Azure CLI credentials in ~/.azure/
Cryptocurrency wallets: wallet.dat files, seed phrase storage, browser extension wallet data for MetaMask, Phantom, and Coinbase Wallet
Environment variables: the full process environment at execution time — capturing any API keys, database passwords, or secrets set in the shell
Browser credential stores: Chrome and Firefox saved passwords and authentication cookies

On Windows, the payload additionally wrote itself to the user's Startup folder for persistence, ensuring credentials collected on the initial run were supplemented by ongoing keylogging and credential harvesting across subsequent logins.

The 6.5-Hour Exposure Window

The malicious versions were live on PyPI from 03:51 UTC to 10:13 UTC on March 27, 2026 — a period of approximately 6.5 hours. This window covers the early-morning CI/CD run cycles for North American teams (CI pipelines that run overnight or at market open) and the active work hours for European development teams. Any system that ran pip install telnyx, pip install --upgrade telnyx, or had an unpinned telnyx dependency resolved during this window should be treated as potentially compromised.

CI/CD Pipeline Risk

Pipelines that do not pin exact package versions (using telnyx==4.87.0 rather than telnyx>=4.87 or telnyx without a version specifier) are the highest-risk targets. Many teams use unpinned production dependencies as a policy choice to receive automatic security patches — this incident is a clear example of why pinning plus lock files plus integrity verification is the correct default for any package touching a production credential environment.

Immediate Remediation

Response Checklist

# 1. Check installed version across all environments
pip show telnyx | grep Version

# 2. If version is 4.87.1 or 4.87.2: downgrade immediately
pip install telnyx==4.87.0

# 3. Check CI/CD pipeline logs for 03:51–10:13 UTC on March 27
#    Any pip install/upgrade of telnyx in this window = treat as compromised

# 4. If exposed: rotate ALL secrets accessible from that environment
#    - Regenerate SSH keypairs; remove compromised public keys from servers
#    - Rotate AWS/GCP/Azure credentials; revoke old IAM keys
#    - Rotate all API keys in environment variables
#    - Move crypto assets from any exposed wallets to new wallets

# 5. Check for Windows persistence (if applicable)
#    Examine: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\

# 6. Pin telnyx in requirements.txt and pyproject.toml
telnyx==4.87.0  # pin to known-good version
                        

What This Attack Reveals About PyPI Security

The TeamPCP campaign — now spanning at least four major Python packages — exposes fundamental gaps in how the Python ecosystem defends against supply chain attacks. PyPI's automated scanning is primarily effective against known patterns: obfuscated strings, suspicious network connections in setup.py, and previously seen malware signatures. Novel evasion techniques like WAV steganography exploit the fact that scanning is pattern-based rather than behavior-based.

The most effective defenses available to development teams today are not dependent on PyPI improving its scanning. They are controls teams implement themselves: strict version pinning with lock files, integrity verification via pip-audit or Sigstore signatures, and network egress monitoring in CI/CD environments that alerts when a package installation triggers an unexpected outbound connection. None of these controls require trusting that PyPI's scanner caught the attack before you installed it.

Teams should also audit their dependency policies for any package in the TeamPCP target profile: DevSecOps tools (scanners, linters, IaC validators), AI/LLM SDK packages, and communications platform SDKs. These are the categories TeamPCP has systematically targeted, and the campaign shows no signs of stopping.

Share this alert:

Tweet Share