Summary
The threat group TeamPCP backdoored the Telnyx Python SDK on PyPI (versions 4.87.1 and 4.87.2) on March 27, 2026, using WAV audio steganography to deliver a credential harvester and persistence implants targeting SSH keys, cloud/Kubernetes credentials, crypto wallets, and more, part of a broader cascading supply chain campaign that began with Aqua Trivy and spread through npm, Checkmarx, and LiteLLM.
Take Action:
If you installed or upgraded the Telnyx Python SDK on March 27, 2026, THIS IS URGENT! Immediately downgrade to version 4.87.0 and treat that environment as fully compromised. Rotate every credential the system could touch (SSH keys, cloud tokens, API keys, database passwords, CI/CD secrets). Check for persistence artifacts: on Windows look for msbuild.exe in your Startup folder, on Linux check for audiomon.service, and in Kubernetes look for node-setup-* pods in kube-system and block all traffic to 83[.]142[.]209[.]203 at your firewall.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)