The TeamPCP threat actor group executed a sophisticated supply-chain attack targeting the Telnyx Python SDK by publishing malicious versions 4.87.1 and 4.87.2 on the PyPI repository. This campaign marks a tactical evolution from their earlier LiteLLM campaign, incorporating advanced evasion and persistence techniques. The malicious payload is activated immediately upon import of the compromised SDK, leveraging WAV-based steganography to conceal malicious code within audio files, thereby complicating detection by traditional static and dynamic analysis tools. Additionally, the attack employs split-file code injection, distributing the malicious logic across multiple source files to evade signature-based detection and complicate forensic analysis. The payload supports multiple operating systems—Linux, macOS, and Windows—broadening the attack surface. On Windows, persistence is achieved through the Startup folder, ensuring execution on system reboot. The payload downloads and executes credential-stealing malware designed to exfiltrate sensitive authentication data, posing a significant risk to user accounts and organizational security. Notably, the attackers transitioned their command and control infrastructure from encrypted HTTPS to plaintext HTTP, which may inadvertently expose their activities to network defenders but could also indicate operational trade-offs or attempts to blend with benign traffic. Given the nature of the supply-chain compromise, any organization relying on the Telnyx Python SDK versions 4.87.1 or 4.87.2 is at risk. The absence of a CVSS score necessitates an independent severity assessment, which is high due to the multi-platform credential theft capabilities, stealthy evasion, and persistence mechanisms. Indicators of compromise include several file hashes and an IP address (83.142.209.203) associated with the campaign. Organizations are strongly advised to revert to the last known clean SDK version and conduct thorough incident response procedures to identify and remediate any compromise.

This supply-chain attack threatens organizations worldwide that use the Telnyx Python SDK, potentially compromising sensitive credentials across Linux, macOS, and Windows environments. Credential theft can lead to unauthorized access to critical systems, data breaches, lateral movement within networks, and further malware deployment. The multi-platform nature increases the scope of affected systems, including development, production, and CI/CD environments. The use of advanced evasion techniques such as audio steganography and split-file injection complicates detection and forensic efforts, increasing dwell time and risk of extensive compromise. Persistence on Windows systems via the Startup folder ensures malware survival across reboots, facilitating long-term access. The shift to plaintext HTTP C2 traffic could allow network defenders to detect and disrupt communications, but also indicates attackers’ confidence or operational constraints. The attack undermines trust in open-source supply chains, potentially impacting software development workflows and increasing operational costs due to remediation and incident response. Organizations may face regulatory and reputational damage if credential theft leads to data breaches or service disruptions.

1. Immediately downgrade the Telnyx Python SDK to the last known clean version prior to 4.87.1 and 4.87.2 to prevent further exposure. 2. Conduct comprehensive endpoint and network forensics to identify any signs of compromise, focusing on the presence of the identified malicious hashes and suspicious network traffic to IP 83.142.209.203. 3. Implement enhanced monitoring for unusual process behaviors, especially those involving audio file processing or unexpected network connections over plaintext HTTP. 4. Audit Windows systems for unauthorized persistence mechanisms, particularly in the Startup folder, and remove any suspicious entries. 5. Employ advanced threat detection tools capable of analyzing steganographic content and split-file injection patterns to improve detection capabilities. 6. Rotate all potentially compromised credentials and enforce multi-factor authentication to limit attacker access. 7. Educate development and DevOps teams on supply-chain risks and enforce strict package version controls and integrity verification (e.g., hash checks, signed packages). 8. Utilize network segmentation and egress filtering to limit malware communication channels. 9. Collaborate with threat intelligence providers to stay updated on emerging indicators and tactics from TeamPCP. 10. Consider deploying runtime application self-protection (RASP) or behavior-based anomaly detection within critical environments to detect malicious SDK behavior in real time.