TeamPCP infected telnyx Python SDK with PyPI and stole API credentials with payload embedded in WAV audio
Contents
On March 27, 2026, versions 4.87.1 and 4.87.2 of the telnyx Python SDK (742,000 downloads per month), a widely used voice calling API, were infected with PyPI. Detected by security researchers at Aikido based on CanisterWorm’s code signature, TeamPCP has introduced a new method to hide payloads (malicious code) in WAV audio files and collect credentials for OpenAI, Anthropic, AWS, and GCP.
Multi-stage attack flow
The telnyx compromise is the latest phase of TeamPCP’s multi-stage attack stemming from the Trivy vulnerability (CVE-2026-33634, CVSS 9.4).
graph TD
A[Trivy CI/CD脆弱性<br/>CVE-2026-33634 CVSS9.4<br/>2026-03-19] -->|CI認証情報窃取| B[npm 46+パッケージ汚染<br/>CanisterWorm展開<br/>2026-03-20]
B -->|C2: checkmarx.zone| C[OpenVSX・GitHub Actions汚染<br/>2026-03-23]
C -->|PyPIトークン窃取| D[LiteLLM 1.82.7/1.82.8汚染<br/>2026-03-24]
D -->|telnyx PyPIトークン窃取| E[telnyx 4.87.1/4.87.2汚染<br/>2026-03-27]
E -->|WAVステガノグラフィ| F[API認証情報収集<br/>C2: 83.142.209.203:8080]Previous phases are detailed in LiteLLM PyPI contamination article. In LiteLLM, a misconfiguration of CI/CD (installing Trivy without a fixed version) became the starting point for PyPI token theft. OpenVSX extension supply chain attack by GlassWorm is also by the same group of attackers.
Injection points and how WAV steganography works
The malware is executed when the telnyx/_client.py module is imported, not through the installation hook. It is designed to circumvent security measures that monitor setup.py hooks.
Steganography (information hiding technology) using WAV audio files is used to hide the payload.
| Step | Processing details |
|---|---|
| 1 | Create a valid WAV file structure (avoid content filters) |
| 2 | Store Base64 encoded payload in audio frame data |
| 3 | Extract the first 8 bytes of the frame as an XOR key |
| 4 | Apply XOR encryption to the remaining bytes to restore the payload |
| 5 | Run the restored code |
Security tools tend to treat WAV files as legitimate audio, making them easier to bypass content-based inspections. Unlike StegaBin’s trick, which uses zero-width Unicode characters to hide C2 URLs, WAV steganography embeds executable code at the binary level.
Payload by platform
Separate payloads work on Windows and Linux/Mac.
For Windows
Download hangup.wav and place the executable file obtained by XOR decoding as msbuild.exe. The persistence location is %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ and is automatically executed when the system starts. It has a cooldown that re-drops it every 12 hours, and it will respawn even after being deleted.
For Linux/Mac
A Base64 encoded Python script is hardcoded on line 459 of _client.py. At runtime, ringtone.wav is fetched, and the third stage collector (information collection module) is decrypted and activated. The collected authentication information is encrypted with AES-256-CBC using an RSA-4096 public key, and then sent to 83[.]142[.]209[.]203:8080, the attacker’s command and control server (C2). This HTTP request has an X-Filename: tpcp.tar.gz header.
The API credentials targeted by the attack range from OpenAI, Anthropic, AWS, and GCP. Projects that incorporate telnyx as a voice function in AI application development are at risk of having their authentication information for major AI providers stolen.
Impact scope and compromise indicators
There are two tainted versions.
| Version | SHA256 (first) |
|---|---|
| telnyx==4.87.1 | 7321caa303fe96ded… |
| telnyx==4.87.2 | cd08115806662469… |
Safe versions are 4.87.0 and earlier. If 4.87.3 or later is released, individual confirmation is required.
Indicators of Compromise (IoC) are:
| Type | Value |
|---|---|
| C2 server | 83[.]142[.]209[.]203:8080 |
| Leaked identification header | X-Filename: tpcp.tar.gz |
| Windows persistence | %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe |
What to do
Downgrade or pin telnyx to 4.87.0 or earlier. If you have installed a contaminated version (4.87.1/4.87.2), immediately implement the following:
- Rotate API keys for OpenAI, Anthropic, AWS, and GCP
- Rotate database credentials and SSH keys
- Check the communication to
83[.]142[.]209[.]203from the outbound HTTP connection log
Also, if you have a pipeline that depends on telnyx in a CI/CD environment, check the build log to see if the corresponding version is installed.
Evolution of TeamPCP’s modus operandi
TeamPCP updates its methods in each phase. In LiteLLM, this problem was discovered unintentionally as a side effect of a fork bomb (infinite process creation). In the telnyx version, perhaps reflecting on this, the execution logic has been organized, and the design has been changed to emphasize persistence, such as a 12-hour cooldown.
PyPI signature verification alone cannot prevent package uploads using authorized tokens using CI/CD as a springboard. Locking versions of dependencies and minimizing access to secrets in the CI environment are currently effective countermeasures.