Search

Backdoored Telnyx PyPI Package Pushes Malware Hidden in WAV Audio

Cyber threats and incidents
By Evan Rowe

Related

Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Kentucky

Kentucky’s cybersecurity leadership bench reflects a mix of enterprise...
Read more
Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Oklahoma

Oklahoma’s cybersecurity leadership bench reflects a mix of retail,...
Read more
Cyber threats and incidents

Backdoored Telnyx PyPI Package Pushes Malware Hidden in WAV Audio

What happened A backdoored Telnyx PyPI package pushed malware hidden...
Read more
Cyber threats and incidents

European Commission Investigating Breach After Amazon Cloud Account Hack

What happened The European Commission is investigating a breach after...
Read more
Cyber threats and incidents

CISA Warns New Langflow Flaw Is Being Actively Exploited to Hijack AI Workflows

What happened A new Langflow flaw is being actively exploited...
Read more

Share

What happened

A backdoored Telnyx PyPI package pushed malware hidden in WAV audio files after threat actors uploaded malicious versions 4.87.1 and 4.87.2 of the official Python SDK. The attack was observed by Aikido, Socket, and Endor Labs, which attributed it to TeamPCP based on the same exfiltration pattern and RSA key seen in earlier incidents. The malicious code was placed in telnyx/_client.py and triggered automatically when the package was imported while preserving normal SDK functionality. On Linux and macOS, the payload downloaded a second stage disguised as ringtone.wav, extracted hidden code using XOR-based decryption, and executed it in memory. On Windows, it downloaded hangup.wav, extracted an executable named msbuild.exe, and placed it in the Startup folder for persistence. 

Who is affected

The direct exposure affects developers and organizations that installed or imported Telnyx PyPI versions 4.87.1 or 4.87.2. The reported impact includes theft of SSH keys, credentials, cloud tokens, cryptocurrency wallets, environment variables, and other secrets, while Windows systems may also gain persistent malware execution on login. 

Why CISOs should care

This incident matters because it involves a supply chain compromise of a widely used developer package with more than 740,000 monthly downloads on PyPI. It also combines stealthy execution at import time with cross-platform credential theft and, in Kubernetes environments, attempts to enumerate cluster secrets and deploy privileged pods across nodes. 

3 practical actions

  1. Roll back affected environments: Revert any installations of Telnyx versions 4.87.1 or 4.87.2 to version 4.87.0, which researchers identified as the clean release. 
  2. Treat imported systems as compromised: Assume any system that imported the malicious package may already have exfiltrated sensitive data and respond accordingly. 
  3. Rotate exposed secrets immediately: Rotate credentials, SSH keys, cloud tokens, and other sensitive material found on affected systems as soon as possible. 

For more news about malicious packages and software supply chain compromises, click Malware to read more.

Previous article
European Commission Investigating Breach After Amazon Cloud Account Hack
Next article
Female Cybersecurity Leaders to Watch in Oklahoma
Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Kentucky

Kentucky’s cybersecurity leadership bench reflects a mix of enterprise...
Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Oklahoma

Oklahoma’s cybersecurity leadership bench reflects a mix of retail,...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.