TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

Supply chain attacks on open-source ecosystems are becoming increasingly sophisticated, and the latest campaign by the TeamPCP group is a glaring example. Known for previous strikes against popular tools such as Trivy, KICS, and litellm, this threat actor has targeted the official PyPI (Python Package Index) repository by infecting the telnyx package. What distinguishes this incident is not only the scale, but primarily the method of hiding malicious code, which utilizes steganographic techniques in multimedia files.

On March 27, 2026, two malicious versions of the library were uploaded to the PyPI repository: 4.87.1 and 4.87.2. Although at first glance they appeared to be standard updates to the popular SDK for communication services, mechanisms for credential harvesting—the mass theft of credentials and sensitive system data—were embedded within their structure. TeamPCP has demonstrated great determination by continuing a series of attacks aimed at development infrastructure, which calls into question the effectiveness of current package verification systems in public registries.

Audio steganography as a shield for malware

The most disturbing element of the attack on the telnyx package is the distribution method of the malicious payload. Instead of placing an explicit script in .py files, which could be quickly detected by automated security scanners, the attackers hid a stealer type code inside an innocent-looking .WAV file. Using an audio format to transport malware allows it to bypass many traditional firewalls, as binary files of this type are rarely subjected to deep inspection for executable code.

The mechanism of action is precise: once the infected version of the library is installed in a developer's environment or on a production server, it initiates the process of decoding the hidden content from the audio file. After extraction, the stealer proceeds to search the system to find API keys, passwords, and configuration files. Given that telnyx is a tool primarily used in telecommunications systems and API integrations, the potential damage resulting from the leak of access keys could be catastrophic for the stability of business services.

• Infected versions: 4.87.1 and 4.87.2
• Publication date: March 27, 2026
• Main attack vector: Steganography in .WAV files
• Goal: Credential theft (credential harvesting)
• Responsible group: TeamPCP

Evolution of threats in the software supply chain

The actions of TeamPCP show that the era of simple typosquatting attacks (registering names similar to popular packages) is slowly giving way to the hijacking of existing, trusted developer accounts or the compromise of CI/CD processes. The attack on telnyx follows a series of successful operations targeting Trivy and litellm, suggesting that this group has a developed methodology for infiltrating projects of critical importance to the modern technology stack, including tools supporting AI and cybersecurity.

The modern approach to security must evolve toward a Zero Trust Network Access (ZTNA) model, not only in the context of network access but also trust in external dependencies. Replacing traditional VPN solutions with modern ZTNA allows for the elimination of so-called lateral movement—the sideways movement of an intruder within a network—but in the case of poisoned open-source libraries, the problem lies deeper: at the very heart of the application. Developers must begin to treat every external library as a potential attack vector, employing version pinning and regular audits of checksums for downloaded packages.

Technical analysis of the malicious code in telnyx reveals that TeamPCP does not limit itself to simple scripts. Their tools are designed to operate discreetly, often with delayed activation, making it difficult to link the moment of infection to a specific change in the code. For organizations using PyPI, this incident is a wake-up call: automatically downloading the "latest" versions without prior verification in a sandbox is becoming an extremely dangerous practice.

"Directly connecting users to applications and eliminating lateral movement are the foundations of modern security; however, in the face of supply chain attacks, we must also look at what those applications contain."

Defense strategies in the era of steganographic malware

Protection against threats such as those served by TeamPCP requires a multi-layered approach. First, it is essential to implement SCA (Software Composition Analysis) tools capable of detecting anomalies in package structures, such as the presence of unusual binary files in pure-code libraries. Second, monitoring outgoing traffic from development and production servers is crucial—a sudden data transfer to unknown C2 (Command and Control) endpoints is often the only visible trace of a stealer in action.

In the context of credential theft, organizations should strive to eliminate static API keys in favor of short-lived access tokens and centrally managed machine identities. If an attacker captures credentials that expire after a few minutes, their room for maneuver decreases drastically. The TeamPCP campaign targeting telnyx proves that the security of repositories like PyPI remains one of the weakest links in the global IT ecosystem, and the responsibility for code verification ultimately rests on the shoulders of the end user and the organization.

It can be assumed that the steganographic techniques we see today in .WAV files will soon find their way into images, PDF documents, and even AI models distributed in formats such as safetensors. TeamPCP has set a dangerous direction in which malware becomes an integral, almost imperceptible part of legitimate software. The only effective response is rigorous dependency control and moving away from blind trust in public repositories toward internal, audited mirrors of open-source software.