SECURITYWEEK reports that two malicious Telnyx Python SDK versions, 4.87.1 and 4.87.2, were uploaded to the PyPI registry and targeted Windows, macOS and Linux, as part of TeamPCP’s growing supply chain campaign. The campaign began on 19 March with Aqua Security’s Trivy and subsequently spread to NPM, Docker Hub, Kubernetes, OpenVSX and the LiteLLM PyPI package, with Telnyx described as the latest victim.
The rogue packages contained a WAV file that could drop an executable in the Windows startup folder or run a hardcoded Python script to exfiltrate a machine’s session key on macOS and Linux.
The exfiltrated data is encrypted with RSA, and the public key used is the same as in previous TeamPCP attacks, according to JFrog, while the analysis from GitGuardian warns that the blast radius extends far beyond the disclosed packages, noting over 470 repositories with a malicious Trivy GitHub Action and more than 1,900 packages that included LiteLLM as a dependency, though these figures are lower bounds.
Telnyx has around 670,000 monthly downloads for its Python library, which the report notes could amplify the impact of the compromise. According to GitGuardian, the TeamPCP campaign’s reach may be much larger when private repositories and transitive dependencies are considered.