TeamPCP Compromises Telnyx Python SDK in Third PyPI Supply Chain Attack
TeamPCP has compromised the official Telnyx Python SDK on PyPI, publishing malicious versions that exfiltrate SSH private keys and bash history at install time.
TeamPCP has again expanded its supply chain attacks on open-source repositories by targeting Telnyx, according to security researchers. On March 27, researchers from Socket and Endor Labs revealed that the official Telnyx Python SDK on PyPI had been compromised in a software supply chain attack. The malicious versions 4.87.1 and 4.87.2 contained code designed to steal SSH private keys and bash history files from victim environments, exfiltrating them to an attacker-controlled server at install time. This marks the group's third known campaign, following earlier attacks on Trivy and LiteLLM.
The attack leveraged compromised maintainer credentials rather than exploiting a vulnerability in PyPI's infrastructure. By gaining legitimate publishing access, the attacker pushed trojanized versions that appeared authentic to any automated or manual dependency resolution process. Because the package retained its legitimate name and continued to function as expected, detection through casual inspection or functional testing would be extremely difficult. The malicious payload executed at install time, meaning a developer or automated pipeline simply installing or updating the package would trigger the attack without needing to import or run any of the package's actual functionality.
The injected payload specifically targeted files of high value in a lateral movement or credential harvesting context. SSH private keys would allow an attacker to pivot to other systems the victim has access to, while bash history files could expose commands containing credentials, server addresses, internal tooling, or other sensitive operational information. The data exfiltration was performed over HTTP to an external endpoint controlled by the attacker. Socket researchers noted that the group has recently started partnering with the Vect ransomware group to turn supply chain compromises into large-scale ransomware operations.
Endor Labs researchers emphasized that the pattern exhibited by TeamPCP reflects a maturation in supply chain attack methodology. Rather than relying solely on typosquatting, which depends on a developer making a naming mistake, this actor has demonstrated the capability and willingness to directly compromise legitimate, trusted packages with real user bases. This significantly raises the risk profile because developers and security teams who explicitly trust a known package and pin to it by name are not protected against this class of attack. The three-day interval between the LiteLLM and Telnyx compromises further suggests that the actor is actively iterating and moving quickly across targets.
Telnyx is a cloud communications platform that provides APIs for phone calls, SMS, MMS, and other telecom services. Its Python SDK is widely used by developers integrating Telnyx services into their applications. The compromise of such a trusted package underscores the growing sophistication of supply chain attacks targeting open-source ecosystems. Researchers from Socket, Endor Labs, Aikido Security, and Wiz (now part of Google Cloud) independently confirmed the findings.
Organizations are advised to audit their environments for the presence of the malicious versions (4.87.1 and 4.87.2) and rotate any credentials or keys that may have been exposed on systems where the compromised package was installed. The malicious versions should not be used. This incident highlights the need for stronger credential management and multi-factor authentication for package maintainers, as well as runtime monitoring for suspicious behavior during package installation.