{
  "name": "Telnyx Python SDK Compromised to Deliver Credential-Stealing Malware",
  "slug": "telnyx-python-sdk-compromised-to-deliver-credential-stealing-malware",
  "description": "A supply chain attack affecting the telnyx Python package on PyPI has been identified. Malicious versions 4.87.1 and 4.87.2 contained embedded credential-harvesting malware. The attack employs a three-stage runtime chain on Linux/macOS using audio steganography for delivery, in-memory execution of a data harvester, and encrypted exfiltration. On Windows, it drops a persistent binary in the Startup folder. The malware uses sophisticated techniques including fileless execution, hybrid encryption, and anti-forensics measures. The threat actor, TeamPCP, demonstrates high operational security and cryptographic awareness. Developers are advised to audit environments, rotate credentials, and check for indicators of compromise.",
  "published": "2026-03-28T06:39:59+00:00",
  "created_at": "2026-03-28T06:39:59+00:00",
  "modified_at": "2026-03-30T08:12:11+00:00",
  "created_at_opencti": "2026-03-28T06:39:59+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-03-28",
    "credential harvesting",
    "fileless execution",
    "hybrid encryption",
    "pypi",
    "steganography",
    "supply chain attack",
    "telnyx"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "83.142.209.203"
      },
      {
        "id": "",
        "name": "http://83.142.209.203:8080/ringtone.wav"
      },
      {
        "id": "",
        "name": "http://83.142.209.203:8080/hangup.wav"
      }
    ],
    "intrusion_sets": [
      {
        "id": "5255c6ce-4692-4aea-b599-0e78a6c4c4aa",
        "name": "TeamPCP",
        "slug": "teampcp"
      }
    ],
    "attack_patterns": [
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b",
        "name": "T1059.006"
      },
      {
        "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7",
        "name": "T1555"
      },
      {
        "id": "d4ebbe9f-66c4-4806-b26c-4a0811962f9c",
        "name": "T1553.006"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "890a254d-7af5-4374-84b5-ebcc4375e379",
        "name": "T1588.006"
      },
      {
        "id": "61188dce-ace8-48b2-bda2-c846b920485c",
        "name": "T1567.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9",
        "name": "T1132.001"
      },
      {
        "id": "64a0d74f-fa17-4354-a680-55f4197b71ef",
        "name": "T1132.002"
      },
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69c785cfafa051ecd9a83cd7",
    "https://socket.dev/blog/telnyx-python-sdk-compromised"
  ]
}