Search

Backdoored Telnyx PyPI Package Pushes Malware Hidden in WAV Audio

Cyber threats and incidents
By John Kevin Hao

Related

Cyber threats and incidents

New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

What happened A newly discovered cyberattack campaign is delivering a...
Read more
Cyber threats and incidents

New macOS Malware Uses Fake Errors to Confuse AI Analysis Tools

What happened A newly discovered macOS malware family named Gaslight...
Read more
Cyber threats and incidents

Amadey and StealC Malware Operations Disrupted in Operation Endgame Action

What happened Microsoft, Europol, and international partners disrupted infrastructure used...
Read more
Cyber threats and incidents

Hackers Use GoogleErrorReport Scheduled Task for Persistence in Dropping Elephant Campaign

What happened The threat actor known as Dropping Elephant has...
Read more
Cyber threats and incidents

CryptoBandits Malware Doubles as Backdoor and Abuses Tor

What happened Microsoft warned about CryptoBandits, a Windows-based cryptocurrency clipper...
Read more

Share

What happened

A backdoored Telnyx PyPI package pushed malware hidden in WAV audio files after threat actors uploaded malicious versions 4.87.1 and 4.87.2 of the official Python SDK. The attack was observed by Aikido, Socket, and Endor Labs, which attributed it to TeamPCP based on the same exfiltration pattern and RSA key seen in earlier incidents. The malicious code was placed in telnyx/_client.py and triggered automatically when the package was imported while preserving normal SDK functionality. On Linux and macOS, the payload downloaded a second stage disguised as ringtone.wav, extracted hidden code using XOR-based decryption, and executed it in memory. On Windows, it downloaded hangup.wav, extracted an executable named msbuild.exe, and placed it in the Startup folder for persistence. 

Who is affected

The direct exposure affects developers and organizations that installed or imported Telnyx PyPI versions 4.87.1 or 4.87.2. The reported impact includes theft of SSH keys, credentials, cloud tokens, cryptocurrency wallets, environment variables, and other secrets, while Windows systems may also gain persistent malware execution on login. 

Why CISOs should care

This incident matters because it involves a supply chain compromise of a widely used developer package with more than 740,000 monthly downloads on PyPI. It also combines stealthy execution at import time with cross-platform credential theft and, in Kubernetes environments, attempts to enumerate cluster secrets and deploy privileged pods across nodes. 

3 practical actions

  1. Roll back affected environments: Revert any installations of Telnyx versions 4.87.1 or 4.87.2 to version 4.87.0, which researchers identified as the clean release. 
  2. Treat imported systems as compromised: Assume any system that imported the malicious package may already have exfiltrated sensitive data and respond accordingly. 
  3. Rotate exposed secrets immediately: Rotate credentials, SSH keys, cloud tokens, and other sensitive material found on affected systems as soon as possible. 

For more news about malicious packages and software supply chain compromises, click Malware to read more.

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

Previous article
European Commission Investigating Breach After Amazon Cloud Account Hack
Next article
Female Cybersecurity Leaders to Watch in Oklahoma
Founders, Analysts & Industry Voices

Classroom to Cloud: CISOs to Watch in Higher Education

Higher education security sits at an unusual intersection of...
Cyber threats and incidents

Progress LoadMaster API Vulnerability Exposes Systems to Root-Level Command Execution

What happened A newly disclosed critical vulnerability in Progress LoadMaster...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.