A PyPI supply chain attack compromised the telnyx Python SDK on March 27, 2026, marking the third major strike by TeamPCP in a single week. Malicious versions 4.87.1 and 4.87.2 were published at 03:51 UTC and removed by 10:13 UTC the same day, but the window of exposure threatened millions of developers worldwide. The Telnyx platform itself remained untouched—the attack targeted only the PyPI distribution channel, yet the implications for software supply chain security are severe.
Key Takeaways
- Malicious telnyx SDK versions 4.87.1 and 4.87.2 exposed ~3.8M potential users during a 9-hour window on March 27, 2026.
- Attackers used stolen PyPI API tokens (likely harvested from LiteLLM victims) to publish malicious code without OIDC protections.
- Payload embedded in telnyx/_client.py executes on import, fetching encrypted credential-stealing malware hidden in WAV audio files via steganography.
- TeamPCP used identical RSA-4096 encryption keys across telnyx and LiteLLM compromises, enabling unified decryption of stolen data.
- Users must downgrade to version 4.87.0 and pin dependencies to prevent automatic upgrades to compromised versions.
How the PyPI Supply Chain Attack Unfolded
The PyPI supply chain attack followed a pattern established three days earlier when the same group compromised LiteLLM. Attackers injected 74 lines of malicious code into telnyx/_client.py, positioned to execute immediately upon importing the library. This approach differs sharply from traditional malware distribution—the code runs silently during routine dependency installation, bypassing most security tooling.
The attack exploited a critical vulnerability in PyPI’s token management: Telnyx’s API token was long-lived and lacked OIDC Trusted Publishers protection. Researchers at Endor Labs believe the token was harvested from developers who had previously installed the compromised LiteLLM package, which had already stolen credentials from environment variables, .env files, and shell histories. This cascading compromise—where one breach enables attacks on downstream projects—illustrates why supply chain security requires defense at every layer.
The Steganography Technique Behind the PyPI Supply Chain Attack
What distinguishes this PyPI supply chain attack from routine malware is its use of steganography to hide the payload. The injected code fetches a file named ringtone.wav from a command-and-control server, then extracts a hidden Python script embedded within the audio file using base64 and XOR encoding. This three-stage execution chain—initial import, remote fetch, steganographic decoding—forces defenders to monitor network behavior rather than static code analysis alone.
Once decoded, the third-stage payload steals SSH keys, Kubernetes secrets, environment variables, and other credentials from the compromised system. The exfiltrated data is encrypted using AES-256-CBC with the session key wrapped in the attacker’s RSA-4096 public key via OAEP, then archived as tpcp.tar.gz and sent back to the attacker. The encryption scheme is identical to the one used in the LiteLLM compromise, suggesting shared infrastructure or a single attacker group operating across multiple projects.
Why Client SDKs Represent a Blind Spot in Supply Chain Security
The telnyx compromise exposes a critical asymmetry in how the software industry approaches supply chain security. Most hardening efforts focus on server-side tools and infrastructure components, yet client SDKs like telnyx are installed into development environments and CI/CD pipelines with minimal vetting. Unlike server tools that run in isolated, monitored contexts, SDKs execute in the same process space as the application code itself, granting them access to all credentials and secrets available to the developer.
The telnyx package has accumulated approximately 3.8 million downloads total, meaning the PyPI supply chain attack potentially affected millions of developers, either through direct installation, automatic upgrades, or transitive dependencies that did not pin versions. A developer who installed telnyx without specifying a version constraint would have automatically pulled version 4.87.2 during the nine-hour exposure window, unknowingly executing the malicious payload.
Comparing the PyPI Supply Chain Attack to Prior TeamPCP Campaigns
This is not TeamPCP’s first strike. The group has claimed responsibility for compromises spanning multiple ecosystems and package managers. On March 24, 2026, three days before the telnyx attack, TeamPCP published malicious versions 1.82.7 and 1.82.8 of LiteLLM to PyPI, using nearly identical code and encryption techniques. Earlier in March, the same group compromised Trivy and KICS, and published CanisterWorm across 46+ npm packages using stolen tokens, automating the publishing process to complete attacks in under 60 seconds.
The byte-for-byte match between the RSA-4096 public keys used in telnyx and LiteLLM attacks confirms that a single actor controls both campaigns. This unified encryption key means attackers can decrypt all stolen data from both compromises using a single private key, creating a single point of failure for all victims across both projects. The speed and coordination of these attacks—spanning PyPI, npm, and multiple security tools—suggest a well-resourced group with automated tooling and deep knowledge of package manager vulnerabilities.
The Root Cause: PyPI’s Token Security Model
At the core of this PyPI supply chain attack lies a fundamental weakness in how PyPI manages API tokens. Telnyx’s token was long-lived, meaning it remained valid indefinitely once issued, and it lacked OIDC Trusted Publishers support, a newer security mechanism that ties token validity to specific CI/CD environments. This older authentication model creates persistent targets for attackers—a stolen token grants permanent access until explicitly revoked, and many developers never revoke old tokens.
The token’s presence in developers’ environment variables and shell histories made it vulnerable to exfiltration by the LiteLLM compromise. Once stolen, the attacker could publish new versions to PyPI without any additional authentication, bypassing code review, security scanning, or approval workflows. PyPI’s quarantine and removal of the malicious versions within nine hours was swift, yet the window remained wide enough to potentially infect thousands of systems through automated dependency updates.
What Users and Organizations Must Do Now
Telnyx has advised all users to downgrade to version 4.87.0, the last known clean release, and to pin the version in their dependency specifications to prevent automatic upgrades. Organizations should audit their CI/CD logs to determine whether any builds pulled versions 4.87.1 or 4.87.2 between 03:51 and 10:13 UTC on March 27, 2026. If any system did pull the compromised version, it should be treated as potentially compromised—credentials should be rotated, SSH keys regenerated, and Kubernetes secrets reissued.
Beyond immediate remediation, teams should implement stricter dependency management practices: pin all versions explicitly rather than relying on version ranges, use lock files to ensure reproducible builds, and monitor for unexpected network connections from imported libraries. Organizations using telnyx should also review whether they installed LiteLLM during the same period, as developers with both packages installed may have had their telnyx tokens stolen by the earlier compromise.
Is the telnyx compromise limited to PyPI, or were other distribution channels affected?
The Telnyx platform, APIs, and infrastructure were not compromised. The attack was limited to the PyPI distribution channel for the Python SDK. Users who installed telnyx from the official Telnyx repository or through other channels were not affected, only those who pulled the package from PyPI during the exposure window.
How can I tell if my system was infected by the malicious telnyx SDK?
The malicious code executes on import and attempts to fetch ringtone.wav from a remote server, so network monitoring is the most reliable detection method. Look for unexpected outbound connections to unfamiliar domains during the time window of March 27, 2026, between 03:51 and 10:13 UTC. If your build logs show a pull of telnyx versions 4.87.1 or 4.87.2, assume compromise and rotate all credentials immediately.
Why does PyPI allow long-lived API tokens without OIDC protection?
PyPI’s token system predates OIDC Trusted Publishers, a newer standard that ties tokens to specific CI/CD environments and dramatically reduces the window of exposure if a token is stolen. Older projects like telnyx may not have migrated to OIDC yet, leaving them vulnerable to the exact attack that occurred. Package maintainers should prioritize migrating to OIDC to eliminate the risk of long-lived token theft.
The telnyx PyPI supply chain attack is a watershed moment for software supply chain security. It proves that even well-maintained, widely-used SDKs can be weaponized when token management fails, and that attackers can chain compromises across multiple projects to amplify impact. The industry’s focus on hardening server tools and infrastructure must extend to client SDKs and the token systems that protect them. Until PyPI and other package managers enforce OIDC or equivalent protections by default, supply chain attacks of this scale will remain inevitable.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
