Malicious versions of the Telnyx package were uploaded to the Python Package Index on March 27, 2026, according to BleepingComputer. The report says the backdoored releases, versions 4.87.1 and 4.87.2, delivered credential-stealing malware hidden inside a WAV file.
What happened
BleepingComputer says the supply-chain attack was observed by Aikido, Socket, and Endor Labs. The activity was attributed to TeamPCP based on an exfiltration pattern and an RSA key that researchers said matched previous incidents linked to the same actor.
The report describes the Telnyx PyPI package as the official Python SDK for integrating Telnyx communication services, including VoIP, messaging, fax, and IoT connectivity.
Key details
On Linux and macOS, the malicious package versions dropped malware designed to steal SSH keys, credentials, cloud tokens, cryptocurrency wallets, environment variables, and other secrets, according to the report.
On Windows, BleepingComputer says the malware was dropped into the startup folder for persistence so it would run at every login.
The article also says security researchers believe the project was likely breached through stolen credentials for the package publishing account on PyPI.
Why this package drew attention
BleepingComputer reports that the Telnyx package receives more than 740,000 downloads per month on PyPI. That made the compromise notable because the affected package is widely used as Telnyx's official Python SDK.