[SECURITY] PyPI versions 4.87.1 and 4.87.2 are compromised — malicious code injected into _client.py

[kiran-sec]

Updates

2026-03-27 10:13 UTC

• Both malicious versions have been quarantined by PyPI.
• Full technical analysis with mitigations and IoCs: Endor Labs — TeamPCP Strikes Again: telnyx Compromised Three Days After LiteLLM

Summary

PyPI versions 4.87.1 and 4.87.2 of telnyx contain malicious code injected into telnyx/_client.py. These versions were published to PyPI on March 27, 2026 without corresponding GitHub releases or tags, indicating the PyPI publishing credentials were compromised. Both versions are currently live on PyPI as the latest releases.

The last known clean version is 4.87.0 (GitHub release v4.87.0, published March 26).

The only file modified is telnyx/_client.py — 74 lines of malicious code were injected:

• Lines 4-10: Malicious imports added (subprocess, tempfile, base64, wave, etc.)
• Line 41-42: Base64 decoder helper function _d()
• Line 459: 4,436-character base64-encoded payload variable _p
• Lines 7761-7804: Windows attack function setup() — downloads a binary disguised in a WAV file from 83.142.209.203:8080, drops it as msbuild.exe in the Windows Startup folder
• Lines 7806-7817: Linux/macOS attack function FetchAudio() — spawns a detached subprocess to decode and execute the _p payload
• Lines 7823-7825: Both functions called at module scope (execute on import telnyx)

Malicious behavior:

• Downloads payloads hidden inside WAV audio files from http://83.142.209.203:8080/ (steganography)
• On Windows: Extracts a native binary from WAV, drops to %APPDATA%\...\Startup\msbuild.exe (persistence across reboots)
• On Linux/macOS: Extracts a credential harvester from WAV, collects credentials, encrypts with AES-256-CBC + RSA-4096, exfiltrates as tpcp.tar.gz via HTTP POST

GitHub source (v4.87.0) is clean — the malicious code exists only in the PyPI artifacts.

Attribution

This attack is attributed to TeamPCP with high confidence based on:

• Identical RSA-4096 public key as the litellm PyPI compromise (March 2026)
• tpcp.tar.gz archive name and X-Filename: tpcp.tar.gz HTTP header (TeamPCP signature)
• Identical AES-256-CBC + RSA OAEP encryption scheme via openssl CLI

Indicators of Compromise

IoC	Type
telnyx==4.87.1	Malicious package version
telnyx==4.87.2	Malicious package version
83.142.209.203	C2 IP address
http://83.142.209.203:8080/ringtone.wav	Payload endpoint (Linux/macOS)
http://83.142.209.203:8080/hangup.wav	Payload endpoint (Windows)
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe	Windows persistence

SHA-256 Hashes (Malicious Artifacts)

File	SHA-256
telnyx-4.87.1-py3-none-any.whl	7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9
telnyx-4.87.2-py3-none-any.whl	cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3

[ramimac]

To understand the full TeamPCP campaign: https://ramimac.me/teampcp

Additional vendor blogs:

• https://www.aikido.dev/blog/telnyx-pypi-compromised-teampcp-canisterworm
• https://safedep.io/malicious-telnyx-pypi-compromise/
• https://ossprey.com/blog/telnyx-pypi-malware-wav/

(this one was easily caught "off the wire" by ~everyone who does pypi monitoring)

[SerJaimeLannister]

I found this article0 which suggests doing the following if anyone is compromised by the telnyx hack:

Check for pgmon.service,litellm_init.pth, and all CanisterWorm file indicators immediately.
Rotate everything if you ran any affected tooling during March 19-24: npm tokens, PyPI tokens, Docker Hub tokens, AWS keys, GCP service accounts, Azure credentials, Kubernetes tokens, SSH keys, GitHub PATs.

If you use telnyx: rotate all Telnyx API keys, check account activity for unexpected phone number activity, send payments, or API usage spikes.

Audit all npm packages in your lock files for unexpected patch version bumps between March 20-24. Any patch bump during that window from a publisher in the affected scopes is suspect.

Kill and remove pgmon:systemctl --user stop pgmon; systemctl --user disable pgmon; rm -f ~/.config/systemd/user/pgmon.service; rm -rf ~/.local/share/pgmon/

Rebuild CI/CD runners from scratch. Do not simply rotate credentials on a potentially infected runner - the systemd backdoor survives credential rotation and will steal the new credentials.

Pin all GitHub Actions to full commit SHAs. Tags can be force-pushed. SHAs cannot be changed. This is the single most effective prevention for the entire GitHub Actions attack class.

Pin Python and npm dependencies with hashes. pip install --require-hashes -r requirements.txt. Any tampered package with a different hash fails to install.

If you have npm publishing tokens in any CI environment, scope them to the minimum required packages. A token that can publish to 28 packages is 28x the blast radius of a token that can publish to one.

Hope this helps (anyone who is effected by the telnyx package supply chain attack).

[miketheman]

Releases removed, advisory published. Prettier rendering.

[DanielRuf]

I must say, that was a very well coordinated and quick response.