A weeks-long open-source supply chain attack has now compromised Telnyx’s official PyPI SDK, extending TeamPCP’s campaign beyond Trivy and LiteLLM into a widely trusted communications library used across CI/CD and production environments.
A growing open-source supply chain attack campaign linked to TeamPCP has now compromised the official Telnyx Python SDK on PyPI, marking a dangerous escalation from earlier breaches involving Trivy, LiteLLM, NPM, Docker Hub, Kubernetes, and OpenVSX.
The latest poisoned releases, versions 4.87.1 and 4.87.2, target Windows, macOS, and Linux, turning a widely trusted SDK with more than 670,000 monthly downloads into a cross-platform malware delivery vector. The broader significance lies in the fact that official open-source packages—not typosquats—are being directly weaponised, amplifying downstream risk across CI/CD pipelines, production applications, automated builds, and transitive dependencies.
The attack’s most sophisticated element is its payload delivery method. According to Aikido, “The WAV file is a valid audio file. It passes MIME-type checks. But the audio frame data contains a base64-encoded payload. Decode the frames, take the first 8 bytes as the XOR key, XOR the rest, and you have your executable or Python script.”
On Windows, the package drops an executable into the Startup folder, while macOS and Linux systems decode a third-stage Python collector designed to steal session keys and secrets.
JFrog security researcher Guy Korolevski noted, “It is unknown at this point how the library was compromised, but it is likely a direct result of each of TeamPCP’s recent attacks on the open source ecosystems.”
Users who installed either malicious version should assume compromise immediately, rotate all credentials, API and SSH keys, secrets, and audit CI/CD runners.
