GHSA-955r-262c-33jc: telnyx: PyPI supply chain attack steals cloud creds
GHSA-955r-262c-33jc CRITICALTeamPCP compromised PyPI credentials to publish malicious telnyx 4.87.2 — malware executes silently on import, harvesting AWS/GCP/Azure keys, Kubernetes tokens, SSH keys, and .env files, then exfiltrating them to C2. If any environment installed telnyx between 03:51–10:13 UTC on March 27, 2026, treat all accessible credentials as fully compromised and rotate immediately. This is the same threat actor that hit LiteLLM three days prior — systematic targeting of AI/ML Python tooling is underway.
What is the risk?
Critical. The attack requires zero user interaction beyond a pip install — malicious code executes on import with no warnings. The 6-hour window overlaps with global business hours, making automated CI/CD pipeline ingestion highly probable. TeamPCP's sophistication (steganographic payload delivery, AES-256-CBC + RSA-4096 encryption, Kubernetes lateral movement capability) and demonstrated focus on AI/ML ecosystem packages elevates this beyond a typical supply chain incident. Credential theft targeting cloud infrastructure creates a blast radius far beyond the initial telnyx dependency.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| telnyx | pip | >= 4.87.1, <= 4.87.2 | No patch |
Do you use telnyx? You're affected.
How severe is it?
What should I do?
7 steps-
Audit all environments: pip show telnyx — flag any 4.87.1 or 4.87.2 installation.
-
If exposed: rotate all credentials immediately — SSH keys, AWS/GCP/Azure IAM, Kubernetes service accounts, Docker registry tokens, database passwords, API keys in .env files, and Telnyx API keys.
-
Check for persistence: systemctl --user status audiomon (Linux), ls ~/.config/audiomon/ (macOS), Get-ChildItem $env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe (Windows).
-
Block C2 at perimeter: 83.142.209.203:8080 (all protocols).
-
Pin telnyx==4.87.0 and verify SHA-256: whl=5aeb8172c29ade224e6c2d166713f304596aa21e3dbfa5b6b2b028e6997f6bd2.
-
Audit all CI/CD pipelines for unpinned PyPI dependencies.
-
Hunt for TeamPCP RSA key hash 4eceb569b4330565b93058465beab0e6d5ea09cfba8e7f29d7be1b5a2abd958a across environment.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-955r-262c-33jc?
TeamPCP compromised PyPI credentials to publish malicious telnyx 4.87.2 — malware executes silently on import, harvesting AWS/GCP/Azure keys, Kubernetes tokens, SSH keys, and .env files, then exfiltrating them to C2. If any environment installed telnyx between 03:51–10:13 UTC on March 27, 2026, treat all accessible credentials as fully compromised and rotate immediately. This is the same threat actor that hit LiteLLM three days prior — systematic targeting of AI/ML Python tooling is underway.
Is GHSA-955r-262c-33jc actively exploited?
No confirmed active exploitation of GHSA-955r-262c-33jc has been reported, but organizations should still patch proactively.
How to fix GHSA-955r-262c-33jc?
1. Audit all environments: pip show telnyx — flag any 4.87.1 or 4.87.2 installation. 2. If exposed: rotate all credentials immediately — SSH keys, AWS/GCP/Azure IAM, Kubernetes service accounts, Docker registry tokens, database passwords, API keys in .env files, and Telnyx API keys. 3. Check for persistence: systemctl --user status audiomon (Linux), ls ~/.config/audiomon/ (macOS), Get-ChildItem $env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe (Windows). 4. Block C2 at perimeter: 83.142.209.203:8080 (all protocols). 5. Pin telnyx==4.87.0 and verify SHA-256: whl=5aeb8172c29ade224e6c2d166713f304596aa21e3dbfa5b6b2b028e6997f6bd2. 6. Audit all CI/CD pipelines for unpinned PyPI dependencies. 7. Hunt for TeamPCP RSA key hash 4eceb569b4330565b93058465beab0e6d5ea09cfba8e7f29d7be1b5a2abd958a across environment.
What systems are affected by GHSA-955r-262c-33jc?
This vulnerability affects the following AI/ML architecture patterns: AI/ML CI/CD pipelines, LLM-powered voice and messaging backends, Agent frameworks with communication tools, Cloud-deployed AI services (AWS/GCP/Azure), Kubernetes-hosted model serving.
What is the CVSS score for GHSA-955r-262c-33jc?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.001 Malicious Package AML.T0012 Valid Accounts AML.T0025 Exfiltration via Cyber Means AML.T0055 Unsecured Credentials AML.T0074 Masquerading AML.T0091.000 Application Access Token Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary On March 27, 2026, a threat actor used compromised PyPI credentials to publish malicious versions 4.87.1 and 4.87.2 of the `telnyx` Python package directly to PyPI. These versions contain credential-stealing malware and were not published through the legitimate GitHub release pipeline. ## Exposure Window | Version | Published (UTC) | Quarantined (UTC) | Exposure | |---------|-----------------|-------------------|----------| | 4.87.1 (broken) | 2026-03-27 03:51 | 2026-03-27 10:13 | 6h 22m | | 4.87.2 (functional) | 2026-03-27 04:07 | 2026-03-27 10:13 | 6h 6m | **Both versions were quarantined by PyPI at 2026-03-27 10:13 UTC.** **Note:** Version 4.87.1 contained a typo that prevented the malware from executing. Only 4.87.2 was fully functional. ## Who Is Affected You may be affected if: - You installed or upgraded the `telnyx` Python package between 03:51 UTC and 10:13 UTC on March 27, 2026 - You ran `pip install telnyx` without pinning a version and received 4.87.1 or 4.87.2 - A dependency in your project pulled in `telnyx` as a transitive, unpinned dependency You are NOT affected if: - You pinned to version 4.87.0 or earlier - You installed before March 27, 2026 and did not upgrade - You built from GitHub source (malicious code was never committed to the repository) ## Attack Details ### Root Cause The attacker obtained the PyPI API token and uploaded malicious packages directly to PyPI, bypassing the GitHub release pipeline entirely. No malicious commits exist in the GitHub repository. ### Malicious Behavior The malware is injected into `telnyx/_client.py` (74 additional lines) and executes on `import telnyx`: **Linux/macOS:** 1. Spawns detached subprocess to survive parent exit 2. Downloads payload hidden inside WAV audio file (steganography) from C2 3. Harvests credentials: SSH keys, AWS/GCP/Azure creds, Kubernetes tokens, Docker configs, .env files, database credentials, crypto wallets 4. If Kubernetes access found, deploys privileged pods to all nodes for lateral movement 5. Encrypts with AES-256-CBC + RSA-4096, exfiltrates to C2 **Windows:** 1. Downloads binary hidden inside WAV file from C2 2. Drops as `msbuild.exe` in Startup folder for persistence 3. Executes with hidden window ### Version Differences | Version | Status | Notes | |---------|--------|-------| | 4.87.1 | Broken | Typo: `Setup()` instead of `setup()` caused NameError | | 4.87.2 | Functional | Attacker uploaded 16 minutes later to fix their own casing error; full attack chain operational | ## Verified Safe Version | Version | File | SHA-256 | |---------|------|--------| | **4.87.0** | `telnyx-4.87.0-py3-none-any.whl` | `5aeb8172c29ade224e6c2d166713f304596aa21e3dbfa5b6b2b028e6997f6bd2` | | **4.87.0** | `telnyx-4.87.0.tar.gz` | `3f093a85c313c2b779594f99fc07f453f1a7fd8785878d963688c531ff94d03a` | ## Recommended Actions ### 1. Check If You Are Affected ```bash # Check installed version pip show telnyx | grep Version # Check pip cache for telnyx versions pip cache list telnyx 2>/dev/null # Check when telnyx was installed (modification time) ls -la $(python -c "import site; print(site.getsitepackages()[0])")/telnyx* 2>/dev/null ``` ### 2. Remove Compromised Versions ```bash pip uninstall telnyx ``` ### 3. Rotate All Potentially Exposed Secrets If there is any possibility that version 4.87.1 or 4.87.2 was installed in your environment, treat all accessible secrets as compromised: - SSH keys - AWS/GCP/Azure credentials - Kubernetes tokens and service accounts - Docker registry credentials - Database passwords - API keys in .env files - Telnyx API keys ### 4. Check for Persistence (Linux/macOS) ```bash # Check for malicious systemd service systemctl --user status audiomon 2>/dev/null ls -la ~/.config/audiomon/ 2>/dev/null # Check state file ls -la /tmp/.initd_state 2>/dev/null ``` ### 5. Check for Persistence (Windows) ```powershell # Check Startup folder Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe" ``` ### 6. Pin to Safe Version ```bash pip install telnyx==4.87.0 ``` Or in requirements.txt: ``` telnyx==4.87.0 ``` ## Indicators of Compromise ### Malicious Package Hashes | File | SHA-256 | |------|--------| | `telnyx-4.87.1-py3-none-any.whl` | `7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9` | | `telnyx-4.87.2-py3-none-any.whl` | `cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3` | ### Network | IoC | Type | |-----|------| | `83.142.209.203` | C2 IP address | | `http://83.142.209.203:8080/ringtone.wav` | Payload endpoint (Linux/macOS) | | `http://83.142.209.203:8080/hangup.wav` | Payload endpoint (Windows) | | `http://83.142.209.203:8080/raw` | Persistence polling endpoint | ### Filesystem | Path | Platform | Purpose | |------|----------|--------| | `~/.config/audiomon/audiomon.py` | Linux/macOS | Persistence implant | | `~/.config/systemd/user/audiomon.service` | Linux | Persistence service | | `/tmp/.initd_state` | Linux/macOS | State tracking | | `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe` | Windows | Persistence binary | | `msbuild.exe.lock` | Windows | 12-hour cooldown lock | ### Exfiltration - Archive name: `tpcp.tar.gz` - HTTP header: `X-Filename: tpcp.tar.gz` - Encryption: AES-256-CBC + RSA-4096 OAEP ## Attribution This attack is attributed to **TeamPCP** with high confidence based on: - Identical RSA-4096 public key as the LiteLLM compromise (March 24, 2026) - `tpcp.tar.gz` archive naming convention (TeamPCP signature) - Identical AES-256-CBC + RSA OAEP encryption scheme - Same credential harvesting targets and techniques RSA Key Hash: - PEM SHA-256: `4eceb569b4330565b93058465beab0e6d5ea09cfba8e7f29d7be1b5a2abd958a` ## Resources - https://github.com/team-telnyx/telnyx-python/issues/235 - https://www.endorlabs.com/learn/teampcp-strikes-again-telnyx-compromised-three-days-after-litellm - https://ramimac.me/teampcp
Exploitation Scenario
A developer building an AI voice assistant installs telnyx as a transitive dependency without pinning. During the 6-hour window, pip resolves to 4.87.2. On first import in a CI/CD runner with AWS credentials mounted, the malware spawns a detached subprocess, downloads a payload hidden in a WAV file from C2, then harvests ~/.aws/credentials, Kubernetes kubeconfig, and all .env files. Encrypted with RSA-4096, credentials are exfiltrated silently. TeamPCP uses the AWS keys to enumerate the AI infrastructure, discovers a production LLM serving cluster in EKS, deploys privileged pods to all nodes, and establishes persistent access — days before anyone notices the original telnyx incident.
Weaknesses (CWE)
CWE-506 — Embedded Malicious Code: The product contains code that appears to be malicious in nature.
- [Implementation, Operation] Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Supply Chain CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Supply Chain CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Data Extraction CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Data Extraction CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Supply Chain