PyPI Compromised: Malicious Code in `telnyx` Packages Leads to Credential Theft and Malware Installation

Executive Summary The PyPI repository has once again fallen victim to a sophisticated supply chain attack, this time targeting the telnyx package in versions 4.87.1 and 4.87.2. The culprit, TeamPCP, reused the same RSA key and tpcp.tar.gz exfiltration header as in their previous litellm compromise, demonstrating a pattern of persistence and technical sophistication. The malicious code, injected into telnyx/\_client.py, activates on import telnyx, requiring no user interaction—a silent but deadly intrusion. Technical Breakdown of the Attack The payload was concealed within WAV audio files using steganography, a technique that embeds data within seemingly innocuous files. This method bypasses traditional network inspection tools, as the malicious code is hidden in plain sight. Upon execution: Linux/macOS Systems: The malware steals credentials, encrypts them using AES-256 and RSA-4096, and exfiltrates them to the attacker’s command-and-control (C2) server. The encryption ensures the data