Telnyx joins LiteLLM in latest PyPI package poisoning tied to Trivy breach
Summary
Researchers from Ox Security say the threat group TeamPCP — linked to the recent Trivy supply-chain compromise that led to malicious LiteLLM packages on PyPI — has pushed trojanised versions of the Telnyx Python SDK to PyPI. The malicious releases contain a multi-stage infostealer and persistence mechanisms similar in intent to the LiteLLM implants, but implemented differently: the Telnyx package downloads a .wav file which is decoded and executed on the host.
Telnyx told researchers it has removed the malicious uploads and stated only its Python package was affected; its infrastructure and APIs were not compromised. However, anyone who installed versions 4.87.1 or 4.87.2 should treat the host as compromised and rotate any exposed credentials. Ox notes Telnyx averages over 34,000 PyPI downloads a week, so the exposure window could be large.
Key Points
- TeamPCP (linked to the Trivy compromise) distributed malicious Telnyx SDK builds to PyPI aiming to plant credential-stealing malware.
- The Telnyx compromise uses a multi-stage infostealer that fetches a .wav payload which is decoded and executed — a different delivery method to the LiteLLM implants.
- Telnyx confirms only its Python package was affected; company infrastructure and services were not impacted according to its statement.
- Developers should check installed Telnyx versions: 4.87.1 and 4.87.2 are flagged — treat affected hosts as compromised and rotate any credentials that may have been exposed.
- High download volume (≈34,000 weekly) increases the likelihood of widespread exposure during the window when malicious packages were live.
- This incident continues a trend of PyPI package poisoning and emphasises the risk to CI/CD pipelines and developer workstations from compromised upstream packages.
Context and Relevance
This story is part of a wider pattern of supply-chain attacks targeting open-source package repositories and popular developer dependencies. The initial Trivy compromise spawned malicious LiteLLM packages; TeamPCP has since reused that access or technique to target other legitimate packages. These attacks are particularly dangerous because they can silently compromise developer environments, CI runners, and production systems that pull dependencies automatically.
The article also summarises related cyber news: an alleged RedLine operator extradited to the US, the EU probing Snapchat and adult sites under the DSA for weak age checks, a LAPSUS$-claimed AstraZeneca data dump, and Oak Ridge National Laboratory’s Photon AI tool for large-scale vulnerability discovery. Together, they highlight growing pressure on software supply chains, data security and AI safety research.
Why should I read this
Heads-up: if you or your CI pip-installed the Telnyx SDK recently, this could be a nasty surprise. It’s quick to check your version and rotate creds — and you’ll want to know how these attackers are getting into PyPI so you can harden your toolchain. Short, sharp and useful.
Author style
Punchy: this isn’t just another library update — it’s a live supply-chain compromise that hits developers directly. Read the details and follow the mitigation steps now; the small effort could save a lot of remediation later.