TeamPCP’s Telnyx Compromise: credential-based, steganographic backdoor in PyPI releases
On March 27, 2026 the Telnyx Python SDK on PyPI was backdoored by the actor known as TeamPCP using stolen maintainer credentials — not typosquatting. Malicious code landed only in telnyx/_client.py inside published releases 4.87.1 and 4.87.2 (no corresponding GitHub tags or releases), and the package’s ~700,000 monthly-download footprint made the trojanized SDK a high-value distribution vector.
How the compromise worked and what it stole
The injected code in telnyx/_client.py executed on import and fetched a second-stage payload disguised as a WAV file. On Linux and macOS the file was ringtone.wav and used steganography to hide encrypted code that, when decoded and run in memory, harvested SSH keys, cloud tokens, cryptocurrency wallets, environment variables and Kubernetes secrets. Windows targets received hangup.wav; that WAV contained an executable dropped as msbuild.exe into the user’s Startup folder to achieve persistence. The attacker enforced a 12‑hour execution lock to limit repeated runs and communicated stolen data over HTTP using AES‑256‑CBC for payload encryption and RSA‑4096 for key exchange, tagging exfiltration with a distinctive header (X-Filename: tpcp.tar.gz).
TeamPCP demonstrated operational control: after shipping 4.87.1 they pushed 4.87.2 within about an hour to fix a Windows path casing bug, showing active monitoring and rapid payload adjustment. The campaign reused the same RSA key and the tpcp.tar.gz header previously seen in attacks against other PyPI packages such as LiteLLM, indicating this is part of a sustained shift from typosquatting to direct, credential-based compromises of trusted maintainers.
Practical checks, indicators and immediate remediation
If you manage systems or CI that may have installed telnyx, check whether any machines have versions 4.87.1 or 4.87.2 installed (pip show telnyx and inspect site-packages/telnyx/_client.py), search network logs for HTTP requests with header X-Filename: tpcp.tar.gz, and on Windows look for msbuild.exe in user Startup folders. Roll back to the last known clean release (4.87.0), rotate any exposed SSH keys, API tokens and cloud credentials, and treat secrets present on hosts that installed the malicious versions as potentially exfiltrated. Although the payload delivery URLs are currently inactive, the short active window could still have exposed credentials; assume compromise until audited and remediated.
| Aspect | Linux / macOS | Windows |
|---|---|---|
| Second-stage file | ringtone.wav (steganographic code) | hangup.wav (contains executable) |
| Primary actions | In-memory execution, harvest keys/tokens/secrets | Drop msbuild.exe to Startup for persistence |
| Persistence | Ephemeral in-memory; may leave stolen credentials | Persistent via Startup folder |
| Exfiltration signature | HTTP upload encrypted with AES‑256‑CBC, RSA‑4096 used for keys, header X-Filename: tpcp.tar.gz | |
Quick answers
Is this just typosquatting? No — the attackers used stolen publishing credentials to modify the official Telnyx package on PyPI, not a look‑alike name.
Should you uninstall immediately? Yes if you detect 4.87.1 or 4.87.2; revert to 4.87.0, rotate secrets, and perform host-level forensics before redeploying.
Is PyPI at fault? The vector was stolen maintainer credentials; PyPI’s lack of mandatory pre-upload validation or signing made the compromise possible and harder to block before distribution.
Policy choices and operational trade-offs for teams and registries
This incident crystallizes a trade-off: registries that rely on reputation and post-upload scanning reduce friction for maintainers but expose consumers when accounts are compromised. Mandatory code signing or pre-upload validation (the next checkpoint for PyPI) would raise the barrier to credential-based inserts but also increase operational burden for small maintainers and require rollout plans, key management policies, and migration timelines. Expect debate over thresholds — for example, whether signing should be mandatory for packages above a download or dependency-criticality threshold (e.g., >100k monthly downloads or packages listed in an organization’s SBOM).
For organizations, the practical decision lens is: treat widely used, high-impact dependencies as attack surfaces, require integrity checks and reproducible builds for critical packages, and enforce secrets‑in‑files scanning and least-privilege runtime identities. The Telnyx case — explicit filename, WAV steganography, AES‑256 + RSA‑4096, and quick in-field fixes by the attacker — shows attackers now operate with developer-like agility; detection requires matching operational speed with automated integrity controls and out‑of‑band verification of maintainers when a sudden, untagged release appears.
