PYSEC-2026-3

Vulnerability from pysec - Published: - Updated: 2026-03-27 14:53
VLAI?
Details

After an API token exposure from an exploited Trivy dependency, two new releases of telnyx were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API.

Compromised versions execute code during importing the telnyx module through modifications in _client.py.

The code downloads the next stages from endpoints on the host 83.142.209[.]203, encoded in WAV files. On Windows hosts, the malicious executable is placed in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe for persistence and executed. On other systems, the payload is a Python script. After executing it, generated artifacts are exfiltrated to 83.142.209[.]203.

Version 4.87.1 contains a typo preventing the automated execution of the malicious code.

The code uses the encryption key observed in previous TeamPCP actions. The full compromise of exposed systems and all credentials reachable from them should be assumed. The credentials should be revoked/rotated, and the affected systems isolated and analyzed against malicious actions and modifications.

The two versions have been removed from PyPI, and the project has been reinstated.

Impacted products
Name purl
telnyx pkg:pypi/telnyx
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "telnyx",
        "purl": "pkg:pypi/telnyx"
      },
      "versions": [
        "4.87.1",
        "4.87.2"
      ]
    }
  ],
  "credits": [
    {
      "name": "Caleb Brown (Google Open Source Security Team)",
      "type": "REPORTER"
    },
    {
      "name": "Mike Fiedler",
      "type": "COORDINATOR"
    },
    {
      "name": "Kamil Ma\u0144kowski",
      "type": "ANALYST"
    }
  ],
  "details": "After an API token exposure from an exploited Trivy dependency,\ntwo new releases of `telnyx` were uploaded to PyPI containing automatically activated malware,\nharvesting sensitive credentials and files, and exfiltrating to a remote API.\n\nCompromised versions execute code during importing the `telnyx` module through modifications in `_client.py`.\n\nThe code downloads the next stages from endpoints on the host 83.142.209[.]203, encoded in WAV files.\nOn Windows hosts, the malicious executable is placed in \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msbuild.exe`\nfor persistence and executed.\nOn other systems, the payload is a Python script.\nAfter executing it, generated artifacts are exfiltrated to 83.142.209[.]203.\n\nVersion 4.87.1 contains a typo preventing the automated execution of the malicious code.\n\nThe code uses the encryption key observed in previous TeamPCP actions.\nThe full compromise of exposed systems and all credentials reachable from them should be assumed. \nThe credentials should be revoked/rotated, and the affected systems isolated\nand analyzed against malicious actions and modifications.\n\nThe two versions have been removed from PyPI, and the project has been reinstated.\n",
  "id": "PYSEC-2026-3",
  "modified": "2026-03-27T14:53:14Z",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://inspector.pypi.io/project/telnyx/4.87.2/packages/3c/89/bff9e644b1076b96ba1e23deb2b7acffa9fe84166219ba9cb47cf356b7ec/telnyx-4.87.2.tar.gz/telnyx-4.87.2/src/telnyx/_client.py#line.7825"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/team-telnyx/telnyx-python/issues/235"
    },
    {
      "type": "ARTICLE",
      "url": "https://www.endorlabs.com/learn/teampcp-strikes-again-telnyx-compromised-three-days-after-litellm"
    },
    {
      "type": "ARTICLE",
      "url": "https://www.aikido.dev/blog/telnyx-pypi-compromised-teampcp-canisterworm"
    }
  ],
  "summary": "Two telnyx versions published containing credential harvesting malware"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.