Skip to content
Tech News
← Back to articles

PyPI package telnyx has been compromised in yet another supply chain attack

2026-03-27 | original
read original get Telnyx API SDK → more articles
Why This Matters

The recent compromise of the PyPI package telnyx highlights the ongoing threat of supply chain attacks targeting open-source ecosystems. Such breaches can lead to widespread distribution of malicious code, affecting developers and consumers relying on trusted packages. This underscores the urgent need for enhanced security practices in software supply chains to prevent future incidents.

Key Takeaways

This morning's telnyx compromise is the latest move in what is now a weeks-long TeamPCP supply chain campaign crossing multiple ecosystems. Trivy. Checkmarx. LiteLLM. And now Telnyx on PyPI, uploaded hours ago at 03:51 UTC on March 27.

The pattern is consistent: steal credentials from a trusted security tool, use those credentials to push malicious versions of whatever that tool had access to, collect whatever's running in the next environment, repeat.

Where This Fits in the Campaign

A quick recap of what TeamPCP has done over the past two weeks:

March 19: Trivy compromised. Aqua Security's open source vulnerability scanner was backdoored, resulting in CVE-2026-33634 (CVSS 9.4). Attackers exfiltrated credentials from every CI/CD pipeline running Trivy without version pinning. 44 Aqua Security GitHub repositories were renamed with the prefix tpcp-docs- and the description "TeamPCP Owns Aqua Security."

March 20: CanisterWorm hits npm. Using stolen tokens from Trivy users, TeamPCP published the CanisterWorm backdoor across 46+ npm packages including scopes like @EmilGroup and @opengov . The worm automated token-to-compromise: given one stolen npm token, it enumerated all publishable packages, bumped versions, and published across the entire scope in under 60 seconds.

March 22: I first observed TeamPCP using WAV steganography to deliver payloads in their Kubernetes wiper variant. I flagged it on Twitter at the time: "TeamPCP is now embedding their malware in .wav files."

March 23: Checkmarx. The kics-github-action and ast-github-action GitHub Actions were compromised, along with two OpenVSX extensions ( cx-dev-assist 1.7.0 and ast-results 2.53.0 ). The payload used a new C2 domain, checkmarx[.]zone , impersonating the Checkmarx brand. 35 tags were hijacked between 12:58 and 16:50 UTC; malicious code was removed three hours later.

March 24: LiteLLM. Versions 1.82.7 and 1.82.8 of the LiteLLM PyPI package were published using credentials stolen from LiteLLM's CI/CD pipeline, which ran unpinned Trivy. LiteLLM serves roughly 95 million downloads per month and is increasingly deployed as a centralized LLM gateway with access to credentials for OpenAI, Anthropic, AWS Bedrock, GCP VertexAI, and more. PyPI quarantined the packages after about three hours. The C2 was models[.]litellm[.]cloud .

March 27 (today): Telnyx. Two malicious versions of the official Telnyx Python SDK hit PyPI this morning. Telnyx has been downloaed 742k time over the last month.

... continue reading

Explore topics: pypi telnyx supply chain teampcp backdoor
Related:
Hegseth, Trump had no authority to order Anthropic to be blacklisted, judge says
Telnyx package compromised on PyPI
Court temporarily blocks US government from labeling Anthropic as a 'supply chain risk'
Anthropic wins injunction against Trump administration over Defense Department saga
Judge blocks Pentagon effort to 'punish' Anthropic with supply chain risk label

© 2026 GoKawiil

About | Editorial Policy | Contact