Telnyx package breach jolts Python supply chains

Security teams are scrambling after two malicious releases of the Telnyx Python SDK were uploaded to PyPI on March 27, turning a widely used developer tool into a credential-stealing backdoor that could execute as soon as the library was imported. The compromised versions, 4.87.1 and 4.87.2, were published at 03:51 UTC and quarantined by 10:13 UTC, leaving a window of a little over six hours in which developers and automated build systems could have pulled the tainted package.

What makes the incident especially serious is that the malicious code was inserted into telnyx/_client. py, a core file loaded when applications call import telnyx. That meant the attack did not depend on a user running the SDK in any special way or invoking an obscure function. Security researchers said the payload was designed to fire before normal application logic, a tactic that increases the odds of successful compromise in production systems where the package is used to handle API credentials for voice, messaging, fax, IoT and related communications workflows.

Investigators from multiple security firms said the rogue releases used a multi-stage technique built around WAV steganography, hiding the next-stage payload in what appeared to be audio files fetched from an external server. On Windows, the malware allegedly extracted and dropped a file masquerading as msbuild. exe into the Startup folder to maintain persistence after reboot. On Linux and macOS, the payload was designed to harvest credentials and other sensitive material, then encrypt and exfiltrate the data. Researchers analysing the campaign said the stolen material could include SSH keys, cloud secrets, Kubernetes tokens and other high-value credentials commonly found in developer and server environments.

Telnyx said the compromise was limited to the PyPI distribution channel for the Python SDK and did not affect the company’s platform, APIs or infrastructure. The company’s advisory said the malicious versions were unauthorized uploads and that version 4.87.0 was the last known clean release. That distinction matters because it points to a software supply-chain breach rather than a wider intrusion into the communications provider’s production network. At the same time, it offers only partial reassurance for customers whose development pipelines may have automatically fetched the poisoned package during the exposure window.

The attack has been linked by several researchers to TeamPCP, the group associated with an expanding campaign against open-source ecosystems. Analysts tied the Telnyx compromise to earlier incidents through technical overlaps, including the use of the same RSA public key, similar encryption methods and the tpcp. tar. gz exfiltration marker. Security researchers have also connected the case to other attacks involving LiteLLM and additional software repositories, suggesting an operator that is moving quickly across ecosystems and adjusting its methods to evade detection.

That broader context is a key reason the Telnyx breach is drawing attention beyond one package. The compromise shows how attackers are shifting from simple typo-squatting and fake packages to the hijacking of trusted, legitimate libraries already embedded in production stacks. Because Telnyx is an official SDK with established usage in backend systems, the blast radius could extend well beyond individual developers to businesses running automated deployments, mirrored package repositories and dependency chains that quietly inherit upstream changes. Several security firms noted that import-time execution also weakens traditional assumptions about reachability, because malicious code can run before an application makes any obvious call into a suspicious feature.

For companies exposed to the tainted versions, the advice from researchers has been blunt: treat affected environments as potentially compromised, downgrade or remove the malicious releases, block any related network indicators, and rotate credentials across systems that may have been accessible from infected hosts. That response can be costly, especially for cloud-native teams managing containers, registries and clustered infrastructure, but the nature of the payload leaves little room for half measures. Once a supply-chain attack reaches secrets used for infrastructure and communications, the line between a contained package incident and a larger enterprise security event can disappear quickly.