Telnyx Python package hit by data theft breach
Incident
Summary
Hide ▲
Show ▼
The telnyx Python package was compromised on PyPI with 4.87.1 and 4.87.2, exposing downstream importers to credential theft and data exfiltration. The malicious code was hidden to run when the package was imported, turning a trusted dependency into an infection path. The event matters because it can reach developers and CI systems that installed the package in good faith.
Related Happenings
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
ZiChatBot PyPI supply-chain malware delivery
Malware Activity
First: 07.05.2026 12:20
Last: 07.05.2026 12:20
Sources 1
About this happening:
A **PyPI supply-chain attack** used **three packages** to quietly deliver **ZiChatBot**, creating a cross-platform malware risk for **Windows and Linux** installs. The packages we...
ZiChatBot PyPI supply-chain malware delivery
Malware ActivityAbout this happening: A **PyPI supply-chain attack** used **three packages** to quietly deliver **ZiChatBot**, creating a cross-platform malware risk for **Windows and Linux** installs. The packages we...
PyTorch Lightning hit by network compromise
Incident
First: 04.05.2026 20:15
Last: 04.05.2026 20:15
Sources 1
About this happening:
A **malicious PyTorch Lightning release** on **PyPI** created a supply-chain compromise that can steal credentials as soon as the package is imported. The backdoored **version 2.6...
PyTorch Lightning hit by network compromise
IncidentAbout this happening: A **malicious PyTorch Lightning release** on **PyPI** created a supply-chain compromise that can steal credentials as soon as the package is imported. The backdoored **version 2.6...
Lightning PyPI router_runtime.js credential-stealing payload
Malware Activity
First: 30.04.2026 19:31
Last: 30.04.2026 19:31
Sources 1
About this happening:
The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Lightning PyPI router_runtime.js credential-stealing payload
Malware ActivityAbout this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Latest development: 04.05.2026 20:15
Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.
Mini Shai-Hulud SAP-related npm supply-chain campaign
Campaign
First: 29.04.2026 19:26
Last: 29.04.2026 19:26
Sources 1
About this happening:
A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Mini Shai-Hulud SAP-related npm supply-chain campaign
CampaignAbout this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Latest development: 12.05.2026 11:50
Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.
Timeline
-
27.03.2026 18:53 1 articles · 2mo ago
TeamPCP publishes malicious telnyx versions to PyPI
Exploitation ObservedTeamPCP compromised the telnyx Python package on PyPI by publishing malicious versions 4.87.1 and 4.87.2 on March 27, 2026, turning a trusted dependency into a credential-harvesting delivery path for downstream users. The project was quarantined, and defenders were told to downgrade to 4.87.0 and rotate secrets.
Show sources
- TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files — thehackernews.com — 27.03.2026 18:53
-
27.03.2026 18:53 2 articles · 2mo ago
Analysts map telnyx import-time stealer behavior and .WAV-based exfiltration
Technical Analysis UpdateAnalysts from Aikido, Endor Labs, Ossprey Security, SafeDep, Socket, and StepSecurity identified malicious code in telnyx/_client.py that runs when the package is imported into a Python application. The payload uses audio steganography with hangup.wav and ringtone.wav, persists on Windows by dropping msbuild.exe into the Startup folder, and on Linux and macOS exfiltrates harvested data as tpcp.tar.gz to 83.142.209[.]203:8080.
Show sources
- TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files — thehackernews.com — 27.03.2026 18:53
- TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files — thehackernews.com — 27.03.2026 18:53