Particle.news
Download on the App Store
4 ARTICLES
·
5d ago

TeamPCP Poisons Telnyx Python SDK on PyPI With WAV‑Hidden Infostealer

Researchers say the tainted releases stole credentials using code hidden in a WAV audio file.

TeamPCP Uses Fake Ringtone File in Tainted Telnyx SDK to Steal Credentials

Overview

  • The Telnyx Python SDK, which had two rogue releases posted Friday, March 27, shipped versions 4.87.1 and 4.87.2 that deployed credential‑stealing code on Windows, macOS, and Linux.
  • Telnyx said it solved the root cause and reported no access to its platform or customer data because the SDK has no privileged reach.
  • Security teams advise anyone who installed those versions to roll back to 4.87.0 and rotate all API keys, SSH keys, and cloud credentials.
  • Analysts found the package pulled a valid‑sounding ringtone.wav that carried a base64 payload in audio frames, which decoded with an XOR key to drop a multi‑stage collector.
  • Investigators tied the theft to TeamPCP through a reused RSA public key, and GitGuardian flagged at least 470 repositories and 1,900 packages as downstream exposure from related compromises.