{"id":228523,"date":"2026-03-27T12:53:00","date_gmt":"2026-03-27T16:53:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/27\/teampcp-pushes-malicious-telnyx-versions-to-pypi-hides-stealer-in-wav-files\/"},"modified":"2026-03-28T09:40:10","modified_gmt":"2026-03-28T13:40:10","slug":"teampcp-pushes-malicious-telnyx-versions-to-pypi-hides-stealer-in-wav-files","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/27\/teampcp-pushes-malicious-telnyx-versions-to-pypi-hides-stealer-in-wav-files\/","title":{"rendered":"TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/teampcp-pushes-malicious-telnyx.html\">TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/teampcp-pushes-malicious-telnyx.html\">https:\/\/thehackernews.com\/2026\/03\/teampcp-pushes-malicious-telnyx.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-27 12:53:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>TeamPCP, the threat actor behind the supply chain attack targeting Trivy, KICS, and litellm, has now compromised the telnyx Python package by pushing two malicious versions to steal sensitive data.<\/p>\n<p>The two versions, 4.87.1 and 4.87.2, published to the Python Package Index (PyPI) repository on March 27, 2026, concealed their credential harvesting capabilities within a .WAV file. Users are recommended to downgrade to version 4.87.0 immediately. The PyPI project is currently quarantined.<\/p>\n<p>Various reports from Aikido, Endor Labs, JFrog,\u00a0Ossprey Security, SafeDep, Socket, and StepSecurity indicate the malicious code is injected into &#8220;telnyx\/_client.py,&#8221; causing it to be invoked when the package is imported into a Python application. The malware is designed to target Windows, Linux, and macOS systems.<\/p>\n<p>&#8220;Our analysis reveals a three-stage runtime attack chain on Linux\/macOS consisting of delivery via audio steganography, in-memory execution of a data harvester, and encrypted exfiltration,&#8221; Socket said. &#8220;The entire chain is designed to operate within a self-destructing temporary directory and leave near-zero forensic artifacts on the host.&#8221;<\/p>\n<p>On Windows, the malware downloads a file named &#8220;hangup.wav&#8221; from a command-and-control (C2) server and extracts from the audio data an executable that&#8217;s then dropped into the Startup folder as &#8220;msbuild.exe.&#8221; This allows it to persist across system reboots and automatically run every time a user logs in to the system.<\/p>\n<p>In case the compromised host runs on Linux or macOS, it fetches a different .WAV file (&#8220;ringtone.wav&#8221;) from the same server to extract a third-stage collector script and run. The credential harvester is designed to capture a wide range of sensitive data and exfiltrate the data in the form of &#8220;tpcp.tar.gz&#8221; via an HTTP POST request to &#8220;83.142.209[.]203:8080.&#8221;<\/p>\n<p>&#8220;The standout technique in this sample &#8211; and the reason for the post title &#8211; is the use of audio steganography to deliver the final payload,&#8221; Ossprey Security said&#8230;.<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/teampcp-pushes-malicious-telnyx.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files https:\/\/thehackernews.com\/2026\/03\/teampcp-pushes-malicious-telnyx.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":228524,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj1CMUCCEUOX5JczcW-qUC2Bw8_3GmKNoLItyUq-AeuCUvFrJJL0t6aW5EhyJzNT5OyQJulbqwy847fK_EEBieTmTHEKn33suBcHss0AflwRWkPdmqT7FUbX5Rahkwz09g0Fw2GDZr00dAqHeEouzWvFVKMLgNshyO2HQ6QcD5qtbNu59djr1cdm0iV_ksj\/s1600\/wave.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32,34],"class_list":["post-228523","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/228523"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=228523"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/228523\/revisions"}],"predecessor-version":[{"id":228525,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/228523\/revisions\/228525"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/228524"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=228523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=228523"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=228523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}