Telnyx package WAV-hidden credential-stealing malware
Malware Activity
Summary
Hide ▲
Show ▼
The malicious Telnyx package releases 4.87.1 and 4.87.2 delivered credential-stealing malware to imported systems, putting Linux, macOS, and Windows environments at risk. On Unix-like hosts, the payload harvested SSH keys, cloud tokens, cryptocurrency wallets, and environment variables, and it could also enumerate Kubernetes secrets. On Windows, it established Startup folder persistence and used a WAV-hidden second stage to run in memory.
Related Happenings
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware ActivityAbout this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
PCPJack Linux cloud credential-theft and persistence framework
Malware Activity
First: 07.05.2026 21:35
Last: 07.05.2026 21:35
Sources 1
About this happening:
The **PCPJack** malware framework is stealing credentials from **exposed Linux cloud systems**, creating a broad risk of account takeover and lateral movement. It targets services...
PCPJack Linux cloud credential-theft and persistence framework
Malware ActivityAbout this happening: The **PCPJack** malware framework is stealing credentials from **exposed Linux cloud systems**, creating a broad risk of account takeover and lateral movement. It targets services...
ZiChatBot PyPI supply-chain malware delivery
Malware Activity
First: 07.05.2026 12:20
Last: 07.05.2026 12:20
Sources 1
About this happening:
A **PyPI supply-chain attack** used **three packages** to quietly deliver **ZiChatBot**, creating a cross-platform malware risk for **Windows and Linux** installs. The packages we...
ZiChatBot PyPI supply-chain malware delivery
Malware ActivityAbout this happening: A **PyPI supply-chain attack** used **three packages** to quietly deliver **ZiChatBot**, creating a cross-platform malware risk for **Windows and Linux** installs. The packages we...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware Activity
First: 06.05.2026 12:48
Last: 06.05.2026 12:48
Sources 1
About this happening:
The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware ActivityAbout this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware Activity
First: 05.05.2026 13:03
Last: 05.05.2026 13:03
Sources 1
About this happening:
The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware ActivityAbout this happening: The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
Timeline
-
27.03.2026 23:13 2 articles · 2mo ago
Telnyx package WAV-hidden credential-stealing malware
Initial DisclosureThe first malicious **Telnyx** build appeared at **03:51 UTC** with a broken payload, and a corrected **4.87.2** release followed about **an hour later**. That quick republish shows the malware was actively maintained during the supply-chain compromise.
Show sources
- Backdoored Telnyx PyPI package pushes malware hidden in WAV audio — www.bleepingcomputer.com — 27.03.2026 23:13
- Backdoored Telnyx PyPI package pushes malware hidden in WAV audio — www.bleepingcomputer.com — 27.03.2026 23:13