By rssfeeds-admin Telnyx provides popular communication APIs for voice and messaging, and its Python package receives approximately 750,000 monthly downloads. Versions 4.87.1 and 4.87.2 contained hidden code designed to steal highly sensitive developer credentials.
The attack was carefully engineered to trigger automatically the moment any application loaded the library, requiring zero user interaction. PyPI quarantined both versions after roughly four hours, but the blast radius remains large.
This incident is part of a broader, high-speed campaign by TeamPCP that previously hit Trivy, Checkmarx, LiteLLM, and dozens of npm packages. The group’s recent partnership with cybercriminal organizations significantly increases the risk that stolen data will fuel targeted ransomware operations.
Attack Execution and Malware Mechanics
The attackers bypassed standard source code controls by using a stolen publishing token to upload the packages directly to PyPI. By utilizing the project’s legitimate build tools, they ensured the malicious packages passed standard hash integrity checks.
The only modified file was _ client.py, which silently executed different attack chains depending on the host operating system.
from ._client import Client, Stream, Telnyx, Timeout, Transport, AsyncClient, AsyncStream, AsyncTelnyx, RequestOptionsOn Windows machines, the malware downloaded a disguised WAV audio file containing a hidden executable. This executable, named msbuild.exe, was placed in the startup folder to run automatically upon user login.
setup() # Windows attack path
FetchAudio() # Linux/macOS attack pathThe malicious binary used advanced techniques, such as unhooking core system libraries, to blind endpoint detection tools before injecting a remote access trojan into a legitimate system process.
This Trojan gave the attackers complete control over the infected machine, allowing them to browse files, execute commands, and pivot across the network.
Impact and Remediation
Organizations that installed the affected Telnyx versions must treat the incident as a confirmed network breach.
Removing the malicious package is not enough, as the persistent backdoors will remain active on infected Windows machines and Kubernetes clusters.
Security teams must immediately and completely rotate all exposed credentials, including cloud access keys, database passwords, and pipeline tokens.
On the hexastrike endpoint side, defenders should investigate hidden lock files or unexpected binaries in user startup directories.
Development teams can prevent future supply chain infections by pinning exact dependency versions, utilizing lockfiles, and blocking package managers from running in production environments.
Using dedicated secrets managers ensures sensitive tokens never rest in plain text on the filesystem, where automated harvesters can easily find them.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Malicious Telnyx Python Package On PyPI Targets Developer Credentials appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.