{"id":415,"date":"2026-03-27T17:24:08","date_gmt":"2026-03-27T17:24:08","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=415"},"modified":"2026-03-27T17:24:08","modified_gmt":"2026-03-27T17:24:08","slug":"teampcp-pushes-malicious-telnyx-versions-to-pypi-hides-stealer-in-wav-files","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=415","title":{"rendered":"TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files"},"content":{"rendered":"
\n
<\/a><\/div>\n

TeamPCP, the threat actor behind the supply chain attack targeting Trivy, KICS, and litellm, has now compromised the telnyx<\/a> Python package by pushing two malicious versions to steal sensitive data.<\/p>\n

The two versions, 4.87.1 and 4.87.2, published to the Python Package Index (PyPI) repository on March 27, 2026, concealed their credential harvesting capabilities within a .WAV file. Users are recommended to downgrade to version 4.87.0 immediately. The PyPI project is currently quarantined.<\/p>\n

Various reports from Aikido<\/a>, Endor Labs<\/a>, Ossprey Security<\/a>, SafeDep<\/a>, Socket<\/a>, and StepSecurity<\/a> indicate the malicious code is injected<\/a> into \u00abtelnyx\/_client.py,\u00bb causing it to be invoked when the package is imported into a Python application. The malware is designed to target Windows, Linux, and macOS systems.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abOur analysis reveals a three-stage runtime attack chain on Linux\/macOS consisting of delivery via audio steganography, in-memory execution of a data harvester, and encrypted exfiltration,\u00bb Socket said. \u00abThe entire chain is designed to operate within a self-destructing temporary directory and leave near-zero forensic artifacts on the host.\u00bb<\/p>\n

<\/p>\n

On Windows, the malware downloads a file named \u00abhangup.wav\u00bb from a command-and-control (C2) server and extracts from the audio data an executable that’s then dropped into the Startup folder as \u00abmsbuild.exe.\u00bb This allows it to persist across system reboots and automatically run every time a user logs in to the system.<\/p>\n

In case the compromised host runs on Linux or macOS, it fetches a different .WAV file (\u00abringtone.wav\u00bb) from the same server to extract a third-stage collector script and run. The credential harvester is designed to capture a wide range of sensitive data and exfiltrate the data in the form of \u00abtpcp.tar.gz\u00bb via an HTTP POST request to \u00ab83.142.209[.]203:8080.\u00bb<\/p>\n

\u00abThe standout technique in this sample – and the reason for the post title – is the use of audio steganography to deliver the final payload,\u00bb Ossprey Security said. \u00abRather than hosting a raw executable or a base64 blob on the C2 (both of which are trivially flagged by network inspection and EDR), the attacker wraps the payload inside a .WAV file.\u00bb<\/p>\n

It’s currently not known how the package’s PYPI_TOKEN was obtained by TeamPCP, but it’s likely that it was through a prior credential harvesting operation.<\/p>\n

\u00abWe believe the most likely vector is the litellm compromise itself,\u00bb Endor Labs researchers Kiran Raj and Rachana Misal said. \u00abTeamPCP’s harvester swept environment variables, .env files, and shell histories from every system that imported litellm. If any developer or CI pipeline had both litellm installed and access to the telnyx PyPI token, that token was already in TeamPCP’s hands.\u00bb<\/p>\n

What’s notable about the attack is the absence of a persistence mechanism in Linux and macOS and the use of a temporary directory to conduct the malicious actions and recursively delete all its contents once everything is complete.<\/p>\n

\u00abThe strategic split is clear. Windows gets persistence: a binary in the Startup folder that survives reboots, providing the threat actor with long-term, repeatable access,\u00bb Socket explained. \u00abLinux\/macOS gets smash-and-grab: a single, high-speed data harvesting operation that collects everything of value and exfiltrates it immediately, then vanishes.\u00bb<\/p>\n

The development comes a few days after the threat actor distributed<\/a> trojanized versions of the popular litellm Python package to exfiltrate cloud credentials, CI\/CD secrets, and keys to a domain under its control.<\/p>\n

The supply chain incident also reflects a new-found maturation, where the threat actor has consistently infected legitimate, trusted packages with massive user bases to distribute malware to downstream users and widen blast radius, rather than directly publishing malicious typosquats to open-source package repositories.<\/p>\n

\u00abThe target selection across this campaign focuses on tools with elevated access to automated pipelines: a container scanner (Trivy), an infrastructure scanning tool (KICS), and an AI model routing library (litellm),\u00bb Snyk said<\/a>. \u00abEach of these tools requires broad read access to the systems it operates on (credentials, configs, environment variables) by design.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

To mitigate the threat, developers are advised to perform the following actions –<\/p>\n