Telnyx package WAV-hidden credential-stealing malware
Malware Activity
Summary
Hide ▲
Show ▼
The malicious Telnyx package releases 4.87.1 and 4.87.2 delivered credential-stealing malware to imported systems, putting Linux, macOS, and Windows environments at risk. On Unix-like hosts, the payload harvested SSH keys, cloud tokens, cryptocurrency wallets, and environment variables, and it could also enumerate Kubernetes secrets. On Windows, it established Startup folder persistence and used a WAV-hidden second stage to run in memory.
Related Happenings
Hades Bun-powered JavaScript stealer on PyPI
Malware Activity
H score34
First: 09.06.2026 12:13
Last: 09.06.2026 12:13
Sources 1
About this happening:
A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
Hades Bun-powered JavaScript stealer on PyPI
Malware ActivityAbout this happening: A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
AUDIOFIX and MiniRAT macOS malware activity
Malware Activity
H score34
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
AUDIOFIX and MiniRAT macOS malware activity
Malware ActivityAbout this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
H score22
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware ActivityAbout this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
PCPJack Linux cloud credential-theft and persistence framework
Malware Activity
H score34
First: 07.05.2026 21:35
Last: 07.05.2026 21:35
Sources 1
About this happening:
**PCPJack** is a **Linux cloud malware framework** that steals credentials from **exposed cloud systems** and now has been tied to a **covert SMTP relay network** running on **AWS...
PCPJack Linux cloud credential-theft and persistence framework
Malware ActivityAbout this happening: **PCPJack** is a **Linux cloud malware framework** that steals credentials from **exposed cloud systems** and now has been tied to a **covert SMTP relay network** running on **AWS...
Latest development: 05.06.2026 08:34
Hunt.io reported that PCPJack hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure and quietly converted compromised business servers across the U.S., Europe, and Asia into SMTP proxies for a covert email relay pipeline. The recovered infrastructure included open directories on C2 213.136.80[.]73 containing source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration, plus Sliver-integrated SMTP proxy deployment tooling, Chisel binaries, and a persistent chisel_verifier.py process that checked relay capability and removed failed tunnels. Verified proxies were enriched with exit IP address, country, and ASN via api.ipify[.]org and ip-api[.]com, then synced every five minutes to 38.242.204[.]245, with the observed outcome reaching 230 nodes.
ZiChatBot PyPI supply-chain malware delivery
Malware Activity
H score30
First: 07.05.2026 12:20
Last: 07.05.2026 12:20
Sources 1
About this happening:
A **PyPI supply-chain attack** used **three packages** to quietly deliver **ZiChatBot**, creating a cross-platform malware risk for **Windows and Linux** installs. The packages we...
ZiChatBot PyPI supply-chain malware delivery
Malware ActivityAbout this happening: A **PyPI supply-chain attack** used **three packages** to quietly deliver **ZiChatBot**, creating a cross-platform malware risk for **Windows and Linux** installs. The packages we...
Timeline
-
27.03.2026 23:13 2 articles · 3mo ago
Telnyx package WAV-hidden credential-stealing malware
Initial DisclosureThe first malicious **Telnyx** build appeared at **03:51 UTC** with a broken payload, and a corrected **4.87.2** release followed about **an hour later**. That quick republish shows the malware was actively maintained during the supply-chain compromise.
Show sources
- Backdoored Telnyx PyPI package pushes malware hidden in WAV audio — www.bleepingcomputer.com — 27.03.2026 23:13
- Backdoored Telnyx PyPI package pushes malware hidden in WAV audio — www.bleepingcomputer.com — 27.03.2026 23:13