Overview
- The attackers published telnyx versions 4.87.1 and 4.87.2 to PyPI early Friday without matching GitHub tags, pointing to compromised maintainer credentials.
- The package executed code on install and fetched a payload hidden in WAV audio from a raw‑IP server, using a persistent fake msbuild.exe on Windows and a fast in‑memory collector on Linux and macOS.
- The stealer targeted SSH keys, cloud credentials, developer tool logins, environment and database files, shell histories, and crypto wallets, and it attempted Kubernetes takeover by deploying privileged pods to each node.
- Researchers attributed the breach to TeamPCP based on a reused RSA‑4096 public key, the same AES‑256‑CBC plus RSA‑OAEP exfiltration scheme, and distinctive archive headers seen in recent LiteLLM activity.
- The PyPI project is quarantined and experts urge downgrading to 4.87.0, auditing for 4.87.1 or 4.87.2, rotating all secrets, blocking 83.142.209.203:8080, and locking down CI publishing tokens as the campaign shifts to trusted packages.