GHSA-955r-262c-33jc

## Summary On March 27, 2026, a threat actor used compromised PyPI credentials to publish malicious versions 4.87.1 and 4.87.2 of the `telnyx` Python package directly to PyPI. These versions contain credential-stealing malware and were not published through the legitimate GitHub release pipeline. ## Exposure Window | Version | Published (UTC) | Quarantined (UTC) | Exposure | |---------|-----------------|-------------------|----------| | 4.87.1 (broken) | 2026-03-27 03:51 | 2026-03-27 10:13 | 6h 22m | | 4.87.2 (functional) | 2026-03-27 04:07 | 2026-03-27 10:13 | 6h 6m | **Both versions were quarantined by PyPI at 2026-03-27 10:13 UTC.** **Note:** Version 4.87.1 contained a typo that prevented the malware from executing. Only 4.87.2 was fully functional. ## Who Is Affected You may be affected if: - You installed or upgraded the `telnyx` Python package between 03:51 UTC and 10:13 UTC on March 27, 2026 - You ran `pip install telnyx` without pinning a version and received 4.87.1 or 4.87.2 - A dependency in your project pulled in `telnyx` as a transitive, unpinned dependency You are NOT affected if: - You pinned to version 4.87.0 or earlier - You installed before March 27, 2026 and did not upgrade - You built from GitHub source (malicious code was never committed to the repository) ## Attack Details ### Root Cause The attacker obtained the PyPI API token and uploaded malicious packages directly to PyPI, bypassing the GitHub release pipeline entirely. No malicious commits exist in the GitHub repository. ### Malicious Behavior The malware is injected into `telnyx/_client.py` (74 additional lines) and executes on `import telnyx`: **Linux/macOS:** 1. Spawns detached subprocess to survive parent exit 2. Downloads payload hidden inside WAV audio file (steganography) from C2 3. Harvests credentials: SSH keys, AWS/GCP/Azure creds, Kubernetes tokens, Docker configs, .env files, database credentials, crypto wallets 4. If Kubernetes access found, deploys privileged pods to all nodes for lateral movement 5. Encrypts with AES-256-CBC + RSA-4096, exfiltrates to C2 **Windows:** 1. Downloads binary hidden inside WAV file from C2 2. Drops as `msbuild.exe` in Startup folder for persistence 3. Executes with hidden window ### Version Differences | Version | Status | Notes | |---------|--------|-------| | 4.87.1 | Broken | Typo: `Setup()` instead of `setup()` caused NameError | | 4.87.2 | Functional | Attacker uploaded 16 minutes later to fix their own casing error; full attack chain operational | ## Verified Safe Version | Version | File | SHA-256 | |---------|------|--------| | **4.87.0** | `telnyx-4.87.0-py3-none-any.whl` | `5aeb8172c29ade224e6c2d166713f304596aa21e3dbfa5b6b2b028e6997f6bd2` | | **4.87.0** | `telnyx-4.87.0.tar.gz` | `3f093a85c313c2b779594f99fc07f453f1a7fd8785878d963688c531ff94d03a` | ## Recommended Actions ### 1. Check If You Are Affected ```bash # Check installed version pip show telnyx | grep Version # Check pip cache for telnyx versions pip cache list telnyx 2>/dev/null # Check when telnyx was installed (modification time) ls -la $(python -c "import site; print(site.getsitepackages()[0])")/telnyx* 2>/dev/null ``` ### 2. Remove Compromised Versions ```bash pip uninstall telnyx ``` ### 3. Rotate All Potentially Exposed Secrets If there is any possibility that version 4.87.1 or 4.87.2 was installed in your environment, treat all accessible secrets as compromised: - SSH keys - AWS/GCP/Azure credentials - Kubernetes tokens and service accounts - Docker registry credentials - Database passwords - API keys in .env files - Telnyx API keys ### 4. Check for Persistence (Linux/macOS) ```bash # Check for malicious systemd service systemctl --user status audiomon 2>/dev/null ls -la ~/.config/audiomon/ 2>/dev/null # Check state file ls -la /tmp/.initd_state 2>/dev/null ``` ### 5. Check for Persistence (Windows) ```powershell # Check Startup folder Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe" ``` ### 6. Pin to Safe Version ```bash pip install telnyx==4.87.0 ``` Or in requirements.txt: ``` telnyx==4.87.0 ``` ## Indicators of Compromise ### Malicious Package Hashes | File | SHA-256 | |------|--------| | `telnyx-4.87.1-py3-none-any.whl` | `7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9` | | `telnyx-4.87.2-py3-none-any.whl` | `cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3` | ### Network | IoC | Type | |-----|------| | `83.142.209.203` | C2 IP address | | `http://83.142.209.203:8080/ringtone.wav` | Payload endpoint (Linux/macOS) | | `http://83.142.209.203:8080/hangup.wav` | Payload endpoint (Windows) | | `http://83.142.209.203:8080/raw` | Persistence polling endpoint | ### Filesystem | Path | Platform | Purpose | |------|----------|--------| | `~/.config/audiomon/audiomon.py` | Linux/macOS | Persistence implant | | `~/.config/systemd/user/audiomon.service` | Linux | Persistence service | | `/tmp/.initd_state` | Linux/macOS | State tracking | | `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe` | Windows | Persistence binary | | `msbuild.exe.lock` | Windows | 12-hour cooldown lock | ### Exfiltration - Archive name: `tpcp.tar.gz` - HTTP header: `X-Filename: tpcp.tar.gz` - Encryption: AES-256-CBC + RSA-4096 OAEP ## Attribution This attack is attributed to **TeamPCP** with high confidence based on: - Identical RSA-4096 public key as the LiteLLM compromise (March 24, 2026) - `tpcp.tar.gz` archive naming convention (TeamPCP signature) - Identical AES-256-CBC + RSA OAEP encryption scheme - Same credential harvesting targets and techniques RSA Key Hash: - PEM SHA-256: `4eceb569b4330565b93058465beab0e6d5ea09cfba8e7f29d7be1b5a2abd958a` ## Resources - https://github.com/team-telnyx/telnyx-python/issues/235 - https://www.endorlabs.com/learn/teampcp-strikes-again-telnyx-compromised-three-days-after-litellm - https://ramimac.me/teampcp

A developer building an AI voice assistant installs telnyx as a transitive dependency without pinning. During the 6-hour window, pip resolves to 4.87.2. On first import in a CI/CD runner with AWS credentials mounted, the malware spawns a detached subprocess, downloads a payload hidden in a WAV file from C2, then harvests ~/.aws/credentials, Kubernetes kubeconfig, and all .env files. Encrypted with RSA-4096, credentials are exfiltrated silently. TeamPCP uses the AWS keys to enumerate the AI infrastructure, discovers a production LLM serving cluster in EKS, deploys privileged pods to all nodes, and establishes persistent access — days before anyone notices the original telnyx incident.