Telnyx malicious payload stealer delivered via WAV files
Malware Activity
Summary
Hide ▲
Show ▼
TeamPCP pushed a malicious telnyx package payload that turns package import into credential harvesting and encrypted exfiltration across Windows, Linux, and macOS. The activity matters because the payload hides in .WAV files and can silently run inside developer and CI environments that import the package. On Windows, it adds msbuild.exe to the Startup folder for persistence, while Linux and macOS get a fast smash-and-grab collector. The payload also sends stolen data to 83.142.209[.]203:8080.
Related Happenings
ZiChatBot PyPI supply-chain malware delivery
Malware Activity
First: 07.05.2026 12:20
Last: 07.05.2026 12:20
Sources 1
About this happening:
A **PyPI supply-chain attack** used **three packages** to quietly deliver **ZiChatBot**, creating a cross-platform malware risk for **Windows and Linux** installs. The packages we...
ZiChatBot PyPI supply-chain malware delivery
Malware ActivityAbout this happening: A **PyPI supply-chain attack** used **three packages** to quietly deliver **ZiChatBot**, creating a cross-platform malware risk for **Windows and Linux** installs. The packages we...
Plain-crypto-js remote-access Trojan delivery
Malware Activity
First: 31.03.2026 23:55
Last: 31.03.2026 23:55
Sources 1
About this happening:
The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Plain-crypto-js remote-access Trojan delivery
Malware ActivityAbout this happening: The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Latest development: 04.04.2026 23:30
Google Threat Intelligence Group linked the Axios npm compromise to UNC1069, a financially motivated North Korea-nexus threat actor, based on the use of WAVESHAPER.V2 and overlaps with infrastructure artifacts used by UNC1069 in past activity. The Axios maintainers also wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.
Telnyx package WAV-hidden credential-stealing malware
Malware Activity
First: 27.03.2026 23:13
Last: 27.03.2026 23:13
Sources 1
About this happening:
The malicious **Telnyx** package releases **4.87.1** and **4.87.2** delivered **credential-stealing malware** to imported systems, putting **Linux, macOS, and Windows** environmen...
Telnyx package WAV-hidden credential-stealing malware
Malware ActivityAbout this happening: The malicious **Telnyx** package releases **4.87.1** and **4.87.2** delivered **credential-stealing malware** to imported systems, putting **Linux, macOS, and Windows** environmen...
Telnyx package hit by network compromise
Incident
First: 27.03.2026 23:13
Last: 27.03.2026 23:13
Sources 1
About this happening:
The **Telnyx package** on **PyPI** was **compromised**, and malicious releases began executing at import, putting downstream developers at risk of secret theft. The bad uploads in...
Telnyx package hit by network compromise
IncidentAbout this happening: The **Telnyx package** on **PyPI** was **compromised**, and malicious releases began executing at import, putting downstream developers at risk of secret theft. The bad uploads in...
Telnyx Python package hit by data theft breach
Incident
First: 27.03.2026 18:53
Last: 27.03.2026 18:53
Sources 1
How related:
TeamPCP, the threat actor behind the supply chain attack targeting Trivy, KICS, and litellm, has now compromised the telnyx Python package by pushing two malicious versions to steal sensitive data.
About this happening:
The **telnyx** Python package was **compromised on PyPI** with **4.87.1** and **4.87.2**, exposing downstream importers to **credential theft** and **data exfiltration**. The mali...
Telnyx Python package hit by data theft breach
IncidentHow related: TeamPCP, the threat actor behind the supply chain attack targeting Trivy, KICS, and litellm, has now compromised the telnyx Python package by pushing two malicious versions to steal sensitive data.
About this happening: The **telnyx** Python package was **compromised on PyPI** with **4.87.1** and **4.87.2**, exposing downstream importers to **credential theft** and **data exfiltration**. The mali...
Timeline
-
27.03.2026 18:53 1 articles · 2mo ago
Malicious telnyx versions published to PyPI
Initial DisclosureTeamPCP published malicious telnyx Python package versions 4.87.1 and 4.87.2 to the Python Package Index (PyPI) repository on March 27, 2026, hiding credential-harvesting code inside a .WAV file and prompting users to downgrade to telnyx 4.87.0 and quarantine the project.
Show sources
- TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files — thehackernews.com — 27.03.2026 18:53
-
27.03.2026 18:53 2 articles · 2mo ago
Injected telnyx code runs on import
Technical Analysis UpdateMalicious code injected into `telnyx/_client.py` runs when the telnyx package is imported into a Python application, and the payload uses audio steganography in a .WAV file to deliver a three-stage runtime chain targeting Windows, Linux, and macOS.
Show sources
- TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files — thehackernews.com — 27.03.2026 18:53
- TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files — thehackernews.com — 27.03.2026 18:53
-
27.03.2026 18:53 1 articles · 2mo ago
Compromised telnyx payload persists on Windows and exfiltrates secrets
Victim Impact UpdateOn Windows, the payload downloads `hangup.wav` from a C2 server, extracts an executable, and drops it as `msbuild.exe` in the Startup folder for reboot persistence; on Linux and macOS, it fetches `ringtone.wav`, runs a collector script, and exfiltrates harvested data as `tpcp.tar.gz` to `83.142.209[.]203:8080`.
Show sources
- TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files — thehackernews.com — 27.03.2026 18:53