GHSA-955R-262C-33JC
Vulnerability from github – Published: 2026-03-30 19:15 – Updated: 2026-03-30 19:15Summary
On March 27, 2026, a threat actor used compromised PyPI credentials to publish malicious versions 4.87.1 and 4.87.2 of the telnyx Python package directly to PyPI. These versions contain credential-stealing malware and were not published through the legitimate GitHub release pipeline.
Exposure Window
| Version | Published (UTC) | Quarantined (UTC) | Exposure |
|---|---|---|---|
| 4.87.1 (broken) | 2026-03-27 03:51 | 2026-03-27 10:13 | 6h 22m |
| 4.87.2 (functional) | 2026-03-27 04:07 | 2026-03-27 10:13 | 6h 6m |
Both versions were quarantined by PyPI at 2026-03-27 10:13 UTC.
Note: Version 4.87.1 contained a typo that prevented the malware from executing. Only 4.87.2 was fully functional.
Who Is Affected
You may be affected if:
- You installed or upgraded the telnyx Python package between 03:51 UTC and 10:13 UTC on March 27, 2026
- You ran pip install telnyx without pinning a version and received 4.87.1 or 4.87.2
- A dependency in your project pulled in telnyx as a transitive, unpinned dependency
You are NOT affected if: - You pinned to version 4.87.0 or earlier - You installed before March 27, 2026 and did not upgrade - You built from GitHub source (malicious code was never committed to the repository)
Attack Details
Root Cause
The attacker obtained the PyPI API token and uploaded malicious packages directly to PyPI, bypassing the GitHub release pipeline entirely. No malicious commits exist in the GitHub repository.
Malicious Behavior
The malware is injected into telnyx/_client.py (74 additional lines) and executes on import telnyx:
Linux/macOS: 1. Spawns detached subprocess to survive parent exit 2. Downloads payload hidden inside WAV audio file (steganography) from C2 3. Harvests credentials: SSH keys, AWS/GCP/Azure creds, Kubernetes tokens, Docker configs, .env files, database credentials, crypto wallets 4. If Kubernetes access found, deploys privileged pods to all nodes for lateral movement 5. Encrypts with AES-256-CBC + RSA-4096, exfiltrates to C2
Windows:
1. Downloads binary hidden inside WAV file from C2
2. Drops as msbuild.exe in Startup folder for persistence
3. Executes with hidden window
Version Differences
| Version | Status | Notes |
|---|---|---|
| 4.87.1 | Broken | Typo: Setup() instead of setup() caused NameError |
| 4.87.2 | Functional | Attacker uploaded 16 minutes later to fix their own casing error; full attack chain operational |
Verified Safe Version
| Version | File | SHA-256 |
|---|---|---|
| 4.87.0 | telnyx-4.87.0-py3-none-any.whl |
5aeb8172c29ade224e6c2d166713f304596aa21e3dbfa5b6b2b028e6997f6bd2 |
| 4.87.0 | telnyx-4.87.0.tar.gz |
3f093a85c313c2b779594f99fc07f453f1a7fd8785878d963688c531ff94d03a |
Recommended Actions
1. Check If You Are Affected
# Check installed version
pip show telnyx | grep Version
# Check pip cache for telnyx versions
pip cache list telnyx 2>/dev/null
# Check when telnyx was installed (modification time)
ls -la $(python -c "import site; print(site.getsitepackages()[0])")/telnyx* 2>/dev/null
2. Remove Compromised Versions
pip uninstall telnyx
3. Rotate All Potentially Exposed Secrets
If there is any possibility that version 4.87.1 or 4.87.2 was installed in your environment, treat all accessible secrets as compromised:
- SSH keys
- AWS/GCP/Azure credentials
- Kubernetes tokens and service accounts
- Docker registry credentials
- Database passwords
- API keys in .env files
- Telnyx API keys
4. Check for Persistence (Linux/macOS)
# Check for malicious systemd service
systemctl --user status audiomon 2>/dev/null
ls -la ~/.config/audiomon/ 2>/dev/null
# Check state file
ls -la /tmp/.initd_state 2>/dev/null
5. Check for Persistence (Windows)
# Check Startup folder
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe"
6. Pin to Safe Version
pip install telnyx==4.87.0
Or in requirements.txt:
telnyx==4.87.0
Indicators of Compromise
Malicious Package Hashes
| File | SHA-256 |
|---|---|
telnyx-4.87.1-py3-none-any.whl |
7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9 |
telnyx-4.87.2-py3-none-any.whl |
cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3 |
Network
| IoC | Type |
|---|---|
83.142.209.203 |
C2 IP address |
http://83.142.209.203:8080/ringtone.wav |
Payload endpoint (Linux/macOS) |
http://83.142.209.203:8080/hangup.wav |
Payload endpoint (Windows) |
http://83.142.209.203:8080/raw |
Persistence polling endpoint |
Filesystem
| Path | Platform | Purpose |
|---|---|---|
~/.config/audiomon/audiomon.py |
Linux/macOS | Persistence implant |
~/.config/systemd/user/audiomon.service |
Linux | Persistence service |
/tmp/.initd_state |
Linux/macOS | State tracking |
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe |
Windows | Persistence binary |
msbuild.exe.lock |
Windows | 12-hour cooldown lock |
Exfiltration
- Archive name:
tpcp.tar.gz - HTTP header:
X-Filename: tpcp.tar.gz - Encryption: AES-256-CBC + RSA-4096 OAEP
Attribution
This attack is attributed to TeamPCP with high confidence based on:
- Identical RSA-4096 public key as the LiteLLM compromise (March 24, 2026)
tpcp.tar.gzarchive naming convention (TeamPCP signature)- Identical AES-256-CBC + RSA OAEP encryption scheme
- Same credential harvesting targets and techniques
RSA Key Hash:
- PEM SHA-256: 4eceb569b4330565b93058465beab0e6d5ea09cfba8e7f29d7be1b5a2abd958a
Resources
- https://github.com/team-telnyx/telnyx-python/issues/235
- https://www.endorlabs.com/learn/teampcp-strikes-again-telnyx-compromised-three-days-after-litellm
- https://ramimac.me/teampcp
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "telnyx"
},
"ranges": [
{
"events": [
{
"introduced": "4.87.1"
},
{
"last_affected": "4.87.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T19:15:30Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\nOn March 27, 2026, a threat actor used compromised PyPI credentials to publish malicious versions 4.87.1 and 4.87.2 of the `telnyx` Python package directly to PyPI. These versions contain credential-stealing malware and were not published through the legitimate GitHub release pipeline.\n\n## Exposure Window\n\n| Version | Published (UTC) | Quarantined (UTC) | Exposure |\n|---------|-----------------|-------------------|----------|\n| 4.87.1 (broken) | 2026-03-27 03:51 | 2026-03-27 10:13 | 6h 22m |\n| 4.87.2 (functional) | 2026-03-27 04:07 | 2026-03-27 10:13 | 6h 6m |\n\n\n**Both versions were quarantined by PyPI at 2026-03-27 10:13 UTC.**\n\n**Note:** Version 4.87.1 contained a typo that prevented the malware from executing. Only 4.87.2 was fully functional.\n\n## Who Is Affected\n\nYou may be affected if:\n- You installed or upgraded the `telnyx` Python package between 03:51 UTC and 10:13 UTC on March 27, 2026\n- You ran `pip install telnyx` without pinning a version and received 4.87.1 or 4.87.2\n- A dependency in your project pulled in `telnyx` as a transitive, unpinned dependency\n\nYou are NOT affected if:\n- You pinned to version 4.87.0 or earlier\n- You installed before March 27, 2026 and did not upgrade\n- You built from GitHub source (malicious code was never committed to the repository)\n\n## Attack Details\n\n### Root Cause\n\nThe attacker obtained the PyPI API token and uploaded malicious packages directly to PyPI, bypassing the GitHub release pipeline entirely. No malicious commits exist in the GitHub repository.\n\n### Malicious Behavior\n\nThe malware is injected into `telnyx/_client.py` (74 additional lines) and executes on `import telnyx`:\n\n**Linux/macOS:**\n1. Spawns detached subprocess to survive parent exit\n2. Downloads payload hidden inside WAV audio file (steganography) from C2\n3. Harvests credentials: SSH keys, AWS/GCP/Azure creds, Kubernetes tokens, Docker configs, .env files, database credentials, crypto wallets\n4. If Kubernetes access found, deploys privileged pods to all nodes for lateral movement\n5. Encrypts with AES-256-CBC + RSA-4096, exfiltrates to C2\n\n**Windows:**\n1. Downloads binary hidden inside WAV file from C2\n2. Drops as `msbuild.exe` in Startup folder for persistence\n3. Executes with hidden window\n\n### Version Differences\n\n| Version | Status | Notes |\n|---------|--------|-------|\n| 4.87.1 | Broken | Typo: `Setup()` instead of `setup()` caused NameError |\n| 4.87.2 | Functional | Attacker uploaded 16 minutes later to fix their own casing error; full attack chain operational |\n\n## Verified Safe Version\n\n| Version | File | SHA-256 |\n|---------|------|--------|\n| **4.87.0** | `telnyx-4.87.0-py3-none-any.whl` | `5aeb8172c29ade224e6c2d166713f304596aa21e3dbfa5b6b2b028e6997f6bd2` |\n| **4.87.0** | `telnyx-4.87.0.tar.gz` | `3f093a85c313c2b779594f99fc07f453f1a7fd8785878d963688c531ff94d03a` |\n\n## Recommended Actions\n\n### 1. Check If You Are Affected\n\n```bash\n# Check installed version\npip show telnyx | grep Version\n\n# Check pip cache for telnyx versions\npip cache list telnyx 2\u003e/dev/null\n\n# Check when telnyx was installed (modification time)\nls -la $(python -c \"import site; print(site.getsitepackages()[0])\")/telnyx* 2\u003e/dev/null\n```\n\n### 2. Remove Compromised Versions\n\n```bash\npip uninstall telnyx\n```\n\n### 3. Rotate All Potentially Exposed Secrets\n\nIf there is any possibility that version 4.87.1 or 4.87.2 was installed in your environment, treat all accessible secrets as compromised:\n\n- SSH keys\n- AWS/GCP/Azure credentials\n- Kubernetes tokens and service accounts\n- Docker registry credentials\n- Database passwords\n- API keys in .env files\n- Telnyx API keys\n\n### 4. Check for Persistence (Linux/macOS)\n\n```bash\n# Check for malicious systemd service\nsystemctl --user status audiomon 2\u003e/dev/null\nls -la ~/.config/audiomon/ 2\u003e/dev/null\n\n# Check state file\nls -la /tmp/.initd_state 2\u003e/dev/null\n```\n\n### 5. Check for Persistence (Windows)\n\n```powershell\n# Check Startup folder\nGet-ChildItem \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msbuild.exe\"\n```\n\n### 6. Pin to Safe Version\n\n\n```bash\npip install telnyx==4.87.0\n```\n\nOr in requirements.txt:\n```\ntelnyx==4.87.0\n```\n\n## Indicators of Compromise\n\n### Malicious Package Hashes\n\n| File | SHA-256 |\n|------|--------|\n| `telnyx-4.87.1-py3-none-any.whl` | `7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9` |\n| `telnyx-4.87.2-py3-none-any.whl` | `cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3` |\n\n### Network\n\n| IoC | Type |\n|-----|------|\n| `83.142.209.203` | C2 IP address |\n| `http://83.142.209.203:8080/ringtone.wav` | Payload endpoint (Linux/macOS) |\n| `http://83.142.209.203:8080/hangup.wav` | Payload endpoint (Windows) |\n| `http://83.142.209.203:8080/raw` | Persistence polling endpoint |\n\n### Filesystem\n\n| Path | Platform | Purpose |\n|------|----------|--------|\n| `~/.config/audiomon/audiomon.py` | Linux/macOS | Persistence implant |\n| `~/.config/systemd/user/audiomon.service` | Linux | Persistence service |\n| `/tmp/.initd_state` | Linux/macOS | State tracking |\n| `%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msbuild.exe` | Windows | Persistence binary |\n| `msbuild.exe.lock` | Windows | 12-hour cooldown lock |\n\n### Exfiltration\n\n- Archive name: `tpcp.tar.gz`\n- HTTP header: `X-Filename: tpcp.tar.gz`\n- Encryption: AES-256-CBC + RSA-4096 OAEP\n\n## Attribution\n\nThis attack is attributed to **TeamPCP** with high confidence based on:\n\n- Identical RSA-4096 public key as the LiteLLM compromise (March 24, 2026)\n- `tpcp.tar.gz` archive naming convention (TeamPCP signature)\n- Identical AES-256-CBC + RSA OAEP encryption scheme\n- Same credential harvesting targets and techniques\n\nRSA Key Hash:\n- PEM SHA-256: `4eceb569b4330565b93058465beab0e6d5ea09cfba8e7f29d7be1b5a2abd958a`\n\n## Resources\n\n- https://github.com/team-telnyx/telnyx-python/issues/235\n- https://www.endorlabs.com/learn/teampcp-strikes-again-telnyx-compromised-three-days-after-litellm\n- https://ramimac.me/teampcp",
"id": "GHSA-955r-262c-33jc",
"modified": "2026-03-30T19:15:30Z",
"published": "2026-03-30T19:15:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc"
},
{
"type": "WEB",
"url": "https://github.com/team-telnyx/telnyx-python/issues/235"
},
{
"type": "PACKAGE",
"url": "https://github.com/team-telnyx/telnyx-python"
},
{
"type": "WEB",
"url": "https://ramimac.me/teampcp"
},
{
"type": "WEB",
"url": "https://www.endorlabs.com/learn/teampcp-strikes-again-telnyx-compromised-three-days-after-litellm"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Telnyx has malicious code in PyPI versions 4.87.1 and 4.87.2"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.