Malware Delivered via Backdoored Telnyx PyPI Package Uncovered

Post Views: 20

Supply Chain Compromise Strikes Again: Malicious Telnyx PyPI Package Delivers Malware

A recent supply chain attack has compromised the Telnyx software development kit (SDK), a widely used tool for the Telnyx AI Voice Agent service.

Researchers at Endor Labs Discovered the Attack

Researchers at Endor Labs discovered that attackers had backdoored the legitimate SDK code and published malicious versions 4.87.1 and 4.87.2 on the Python Package Index (PyPI).

According to Endor Labs’ Kiran Raj, “We believe the most likely vector is the Litellm compromise itself.”

The compromised Telnyx SDK was released on March 27, 2026, between 3:51 UTC and 4:07 UTC, without corresponding GitHub releases or tags, indicating that the PyPI publishing credentials were compromised.

The malicious releases contained a typo that rendered the code non-functional, prompting the attackers to publish a revised version.
However, the revised version still delivered a malicious payload, which was encoded within the audio frame data of a valid WAV file.
Upon execution, the malicious package retrieved and dropped a persistent executable on Windows systems or an information stealer on Linux/macOS systems.
The latter is designed to exfiltrate sensitive data, including SSH keys and configurations, cloud credentials, authentication data, database credentials, environment configuration files, shell and database histories, and cryptocurrency wallet data.
If a Kubernetes service account token existed, the malware would deploy a privileged pod to every node in kube-system, each mounting the host root filesystem at /host with hostPID, hostNetwork, and privileged: True.
The pods would then chroot into the host to install the persistence implant directly on the node.

Analyses Revealed Undisputable Links to TeamPCP

Analyses of the incident have revealed undisputable links to TeamPCP, who compromised Trivy, LiteLLM, and CheckMarx’s IDE extensions and GitHub Actions in the past week or so.

Endor Labs’ attribution is based on multiple overlapping indicators, including:

The use of an RSA-4096 public key previously observed in the LiteLLM PyPI compromise.
The use of the same AES-256-CBC + RSA OAEP encryption scheme for data exfiltration.
The presence of specific archive files and headers during data exfiltration that are a TeamPCP signature.

Researches have shared indicators of compromise and advised on how to check systems and logs for them. They recommend treating any match as a full-environment compromise, rotating all credentials, and referring to SafeDep and Aikido security researchers’ write-ups for additional guidance.