Updates

2026-03-27 10:13 UTC

Summary

PyPI versions 4.87.1 and 4.87.2 of telnyx contain malicious code injected into telnyx/_client.py. These versions were published to PyPI on March 27, 2026 without corresponding GitHub releases or tags, indicating the PyPI publishing credentials were compromised. Both versions are currently live on PyPI as the latest releases.

The last known clean version is 4.87.0 (GitHub release v4.87.0, published March 26).

The only file modified is telnyx/_client.py — 74 lines of malicious code were injected:

• Lines 4-10: Malicious imports added (subprocess, tempfile, base64, wave, etc.)
• Line 41-42: Base64 decoder helper function _d()
• Line 459: 4,436-character base64-encoded payload variable _p
• Lines 7761-7804: Windows attack function setup() — downloads a binary disguised in a WAV file from 83.142.209.203:8080, drops it as msbuild.exe in the Windows Startup folder
• Lines 7806-7817: Linux/macOS attack function FetchAudio() — spawns a detached subprocess to decode and execute the _p payload
• Lines 7823-7825: Both functions called at module scope (execute on import telnyx)

Malicious behavior:

• Downloads payloads hidden inside WAV audio files from http://83.142.209.203:8080/ (steganography)
• On Windows: Extracts a native binary from WAV, drops to %APPDATA%\...\Startup\msbuild.exe (persistence across reboots)
• On Linux/macOS: Extracts a credential harvester from WAV, collects credentials, encrypts with AES-256-CBC + RSA-4096, exfiltrates as tpcp.tar.gz via HTTP POST

GitHub source (v4.87.0) is clean — the malicious code exists only in the PyPI artifacts.

Attribution

This attack is attributed to TeamPCP with high confidence based on:

• Identical RSA-4096 public key as the litellm PyPI compromise (March 2026)
• tpcp.tar.gz archive name and X-Filename: tpcp.tar.gz HTTP header (TeamPCP signature)
• Identical AES-256-CBC + RSA OAEP encryption scheme via openssl CLI

Indicators of Compromise

SHA-256 Hashes (Malicious Artifacts)