TeamPCP continues is supply chain compromise rampage, with telnyx on PyPI being the latest maliciously modified package.
What happened?
Telnyx is a widely used software development kit (SDK) for the Telnyx AI Voice Agent service.
According to Endor Labs researchers, attackers backdoored the legitimate SDK code and published versions 4.87.1 and 4.87.2 of the package on the Python Package Index (PyPI), one shortly after the other.
The malicious code wasn’t functional in the first version due to a typo, so a second version had to be published.
The malicious releases were published on 27 March 2026, between 03:51 UTC and 04:07 UTC on 27 March 2026, “without corresponding GitHub releases or tags, indicating the PyPI publishing credentials were compromised,” Endor Labs’ Kiran Raj explained.
“We believe the most likely vector is the litellm compromise itself,” he added.
“TeamPCP’s harvester swept environment variables, .env files, and shell histories from every system that imported litellm. If any developer or CI pipeline had both litellm installed and access to the telnyx PyPI token, that token was already in TeamPCP’s hands. The three-day gap fits the time needed to sift through stolen credentials and pick the next target.”
The telnyx PyPI project has since been quarantined.
A new malware delivery mechanism
Between the LiteLLM and the Telnyx compromises, the group changed some things.
For one, the malicious package delivered the encoded malicious payload in the audio frame data of a valid WAV file.
Secondly, the malicious packages were smaller than in previous attacks, as the real payload was fetched at runtime from the C2 (which is a “raw” IP address instead of an impersonated domain such as models.litellm.cloud in the LiteLLM attack).
When a malicious telnyx package is imported, it executes immediately and retrieves and drops a persistent executable on Windows systems or an information stealer on Linux/macOS systems.
The latter is designed to exfiltrate a wide range of sensitive data across systems: SSH keys and configurations; cloud credentials; authentication data from developer tools like Docker, npm, Git, and Vault; database credentials; environment configuration files (to extract embedded secrets like API keys and tokens); shell and database histories; and cryptocurrency wallet data.
“If a Kubernetes service account token exists, the malware goes after the entire cluster,” Endor Labs researchers noted.
“[It] deploys a privileged pod to every node in kube-system, each mounting the host root filesystem at /host with hostPID, hostNetwork, and privileged: True. The pods chroot into the host to install the persistence implant directly on the node.”
Finally, the stolen sensitive data is encrypted and exfiltrated.
TeamPCP signatures
Analyses of the incident have revealed undisputable links to TeamPCP, who compromised Trivy, LiteLLM, and CheckMarx’s IDE extensions and GitHub Actions in the past week or so.
Endor Labs says its attribution is based on multiple overlapping indicators: the use of an RSA-4096 public key previously observed in the LiteLLM PyPI compromise, the use of the same AES-256-CBC + RSA OAEP encryption scheme for data exfiltration, and the presence of specific archive files and headers during data exfiltration that are a TeamPCP signature.
The researcher shared indicators of compromise and advised on how to check systems nad logs for them. “Treat any match as a full-environment compromise — rotate all credentials,” they advised.
SafeDep and Aikido researchers’ write-ups are also a good source of advice.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
