A Sound File That Steals Your Passwords
It started with a sound file.
On March 27, 2026, two versions of the telnyx Python package β 4.87.1 and 4.87.2 β appeared on PyPI. To any automated security scanner, they looked clean. The packages were published under the legitimate Telnyx publisher account. The code was nearly identical to the real SDK. And buried inside one of the assets was a standard .wav audio file that nobody thought twice about.
Except the WAV file wasnβt playing music. It was carrying malware β hidden inside the audio frame data using steganography, a technique that conceals code inside innocent-looking files. The moment a developer ran pip install telnyx during that window, the payload executed silently in the background.
This is the TeamPCP playbook. And itβs working.
Who Is TeamPCP?
TeamPCP is a threat group that specializes in Python supply chain attacks β specifically targeting the developer and AI/ML community. They donβt use typosquatting (creating fake packages with similar names). Thatβs too easy to catch. Instead, they compromise the real publisher accounts and push backdoored versions under the legitimate package name.
Their previous major hit: LiteLLM, a widely used Python library that connects AI applications to dozens of language models. When they compromised LiteLLM, they didnβt just steal from the LiteLLM team β they harvested environment variables, .env files, and shell histories from every machine that had ever imported litellm.
That sweep gave them something incredibly valuable: a list of developers who also had Telnyx publishing credentials stored on their machines.
Three days later, the Telnyx SDK was backdoored.
The Attack Chain: Step by Step
Understanding how this works reveals why itβs so hard to stop:
Step 1 β Compromise LiteLLM TeamPCP gains access to the LiteLLM package or a maintainerβs machine. They push a subtle information-stealing payload that harvests env vars, secrets files, and CI/CD tokens from any machine that installs it.
Step 2 β Credential harvest at scale
LiteLLM is used by thousands of AI developers and applications. Every pip install litellm on an affected machine phones home with whatever secrets that developer has stored. This is passive β it runs every time the package is imported.
Step 3 β Identify Telnyx credentials
Among the harvested secrets, TeamPCP finds PyPI publishing tokens for the Telnyx SDK. This is possible because many developers work on multiple projects, and their credentials live in the same environment β shell configs, .env files, ~/.pypirc files.
Step 4 β Push backdoored Telnyx versions
Using the stolen publishing token, they push versions 4.87.1 and 4.87.2 of the telnyx package. The malicious payload is hidden using steganography inside a WAV file bundled with the package.
Step 5 β Deploy the payload Any developer who installs the backdoored version gets:
- Windows: A persistent executable that survives reboots
- Linux/macOS: An information stealer that runs at import time
Step 6 β Exfiltrate everything
The payload grabs SSH keys, API tokens, .env file contents, and environment variables β then sends them to TeamPCPβs command-and-control server.
The WAV File Trick: Steganography Explained
Steganography is the art of hiding data inside other data. While cryptography makes data unreadable, steganography makes it invisible.
In the Telnyx attack, TeamPCP hid their malicious code inside the audio frame data of a legitimate-looking WAV sound file bundled with the SDK. Hereβs why this is clever:
- Security scanners look for executable code in
.py,.exe,.shfiles β not.wavfiles - The WAV file plays correctly if you actually open it (itβs a valid audio file)
- No signature matches exist for malware hidden this way (itβs too new)
- Human reviewers wouldnβt suspect an audio file in a Python package
When the package runs, it reads the WAV fileβs audio frame data, extracts the hidden code, and executes it in memory β leaving minimal forensic trace.
Side note: TeamPCPβs first attempt (4.87.1) had a typo in the WAV extraction code that broke the malware. So they published 4.87.2 to fix their own malicious bug. Both versions were eventually quarantined by PyPIβs security team.
What Gets Stolen
If you installed the backdoored version, hereβs what TeamPCP can access:
| Category | Specific Targets |
|---|---|
| SSH keys | ~/.ssh/id_rsa, ~/.ssh/id_ed25519, all private keys |
| Environment variables | Everything in your shell environment at runtime |
.env files | Database URLs, API keys, secrets from project directories |
| Shell history | Commands youβve run β often contains tokens pasted inline |
| Config files | ~/.aws/credentials, ~/.npmrc, ~/.pypirc |
| Cloud tokens | AWS, GCP, Azure, Cloudflare, GitHub tokens |
For most developers, this is everything. API keys to production systems. Cloud credentials. Database passwords. GitHub tokens that can push code to your repos.
Are You Affected? Check Right Now
Check your installed version:
pip show telnyx
If the version is 4.87.1 or 4.87.2, you were affected. Immediately:
- Upgrade:
pip install telnyx --upgrade - Rotate all secrets on that machine β assume everything is compromised
- Check your cloud providerβs audit logs for unexpected API calls
- Revoke and reissue SSH keys stored on the affected machine
- Review your GitHub/GitLab for unauthorized pushes or OAuth apps
Check if you ever had litellm installed:
pip show litellm
If litellm is or was installed, treat any machine it ran on as potentially harvested β even if you never installed the bad Telnyx versions. The litellm stage of the attack is older and potentially broader.
The Bigger Picture: TeamPCPβs Supply Chain Rampage
This isnβt a one-off. TeamPCP is actively working through the credential lists harvested from LiteLLM victims, looking for publishing tokens for other popular packages. Theyβve demonstrated theyβll use those credentials quickly β the Telnyx attack came just days after the LiteLLM compromise.
The AI developer ecosystem is particularly at risk because:
- AI projects frequently depend on a large number of Python packages
- Developers often have credentials for multiple services in their environments
- CI/CD pipelines running AI code have machine-level access to production secrets
- The pace of AI development means packages are installed rapidly, without careful vetting
Security researchers are warning that more backdoored packages are likely coming from the same credential batch. If you work with Python AI/ML libraries, now is the time to audit your environment.
How to Protect Yourself Going Forward
1. Use a secrets manager β stop putting secrets in .env files Tools like HashiCorp Vault, AWS Secrets Manager, or even 1Password CLI mean your secrets never sit as plaintext on disk.
2. Audit your pip installs Before installing any package, check:
- When was it last updated? (Suspicious update β check changelog)
- Does the PyPI page match the GitHub repo?
- Any recent issues or security advisories?
3. Use virtual environments Isolate project dependencies so a compromised package in one project doesnβt have access to secrets from another.
4. Enable PyPI 2FA for any package you publish Two-factor authentication on your PyPI account prevents credential theft from leading to a backdoored push.
5. Run your CI/CD with minimal permissions Your CI runner shouldnβt have SSH keys, cloud admin tokens, or personal API credentials. Use role-based access with the minimum permissions needed.
6. Check your installed packages against known-malicious lists
Tools like pip-audit and safety can flag packages with known vulnerabilities. Subscribe to PyPIβs security advisories.
The Con at Infrastructure Level
This is what makes TeamPCPβs approach so insidious: itβs not a scam aimed at naive users. Itβs social engineering at the infrastructure level β exploiting the trust that developers place in package managers.
You donβt think twice about pip install. You trust that PyPI packages are what they say they are. TeamPCP weaponizes that trust by becoming, temporarily, the legitimate publisher. Thereβs no typo in the name to catch. No suspicious domain. Just the package youβve installed a hundred times before β now working for them.
And they hid it in a sound file. Because nobody checks sound files.
If you use Python packages for AI development, check your installations now and rotate any secrets on affected machines. More updates at ScamWatchHQ.com.
