TeamPCP Exploits Telnyx Python SDK in Supply Chain Attack
A newly identified hacking group, TeamPCP, has targeted Telnyx, a widely used communication platform, by embedding malicious code in compromised versions of its Python SDK. The attack, uncovered by OX Security on 27 March 2026, follows a series of supply chain breaches linked to the group, including a recent compromise of the Trivy security tool on 19 March 2026.
The hackers uploaded two tainted versions of the Telnyx Python library (4.87.1 and 4.87.2) to PyPI, disguising malicious functionality within a file named _client.py. This file triggered the download of a seemingly innocuous ringtone.wav a decoy that, once executed, scanned infected systems for SSH keys, cryptocurrency wallets (Bitcoin, Ethereum), and cloud credentials (Google Cloud, Azure).
With the Telnyx SDK recording over 700,000 monthly downloads, the potential impact was significant. However, Telnyx confirmed that its core infrastructure including voice services, messaging, and AI inference remained unaffected, as the SDK operates independently of its backend systems. The breach was limited to developers who installed the compromised versions during the brief window they were live.
While no customer data was accessed, affected users were advised to downgrade to version 4.87.0 and rotate exposed credentials. The incident underscores the growing threat of supply chain attacks, where trusted software components are weaponized to distribute malware.
Source: https://hackread.com/teampcp-fake-ringtone-file-tainted-telnyx-sdk-credentials/
Telnyx cybersecurity rating report: https://www.rankiteo.com/company/telnyx
"id": "TEL1774873599",
"linkid": "telnyx",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Developers who installed '
'compromised SDK versions '
'(potential reach: 700,000 '
'monthly downloads)',
'industry': 'Telecommunications',
'name': 'Telnyx',
'type': 'Communication Platform'}],
'attack_vector': 'Malicious Python SDK versions uploaded to PyPI',
'customer_advisories': 'Downgrade to version 4.87.0 and rotate exposed '
'credentials',
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': ['SSH keys',
'Cryptocurrency wallets',
'Cloud credentials']},
'date_detected': '2026-03-27',
'date_publicly_disclosed': '2026-03-27',
'description': 'A newly identified hacking group, TeamPCP, has targeted '
'Telnyx, a widely used communication platform, by embedding '
'malicious code in compromised versions of its Python SDK. The '
'attack was uncovered by OX Security on 27 March 2026. The '
'hackers uploaded two tainted versions of the Telnyx Python '
'library (4.87.1 and 4.87.2) to PyPI, disguising malicious '
'functionality within a file named _client.py. This file '
'triggered the download of a decoy ringtone.wav, which scanned '
'infected systems for SSH keys, cryptocurrency wallets '
'(Bitcoin, Ethereum), and cloud credentials (Google Cloud, '
'Azure).',
'impact': {'data_compromised': 'SSH keys, cryptocurrency wallets (Bitcoin, '
'Ethereum), cloud credentials (Google Cloud, '
'Azure)',
'identity_theft_risk': 'High (exposure of SSH keys and cloud '
'credentials)',
'systems_affected': 'Developer systems that installed compromised '
'SDK versions'},
'initial_access_broker': {'entry_point': 'Compromised Python SDK versions on '
'PyPI',
'high_value_targets': ['SSH keys',
'Cryptocurrency wallets',
'Cloud credentials']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Growing threat of supply chain attacks via trusted '
'software components',
'post_incident_analysis': {'corrective_actions': 'Removal of compromised '
'versions, credential '
'rotation, and supply chain '
'verification',
'root_causes': 'Malicious code embedded in Python '
'SDK versions 4.87.1 and 4.87.2'},
'recommendations': 'Rotate exposed credentials, monitor for unauthorized '
'access, and verify software supply chain integrity',
'references': [{'date_accessed': '2026-03-27', 'source': 'OX Security'}],
'response': {'communication_strategy': 'Public advisory to affected '
'developers',
'containment_measures': 'Removal of compromised SDK versions '
'from PyPI, advisory to downgrade to '
'version 4.87.0',
'remediation_measures': 'Rotation of exposed credentials',
'third_party_assistance': 'OX Security'},
'stakeholder_advisories': 'Telnyx confirmed core infrastructure was '
'unaffected; SDK operates independently of backend '
'systems',
'threat_actor': 'TeamPCP',
'title': 'TeamPCP Exploits Telnyx Python SDK in Supply Chain Attack',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Compromised Python SDK versions (4.87.1, 4.87.2)'}