TeamPCP Weaponizes Telnyx Python SDK with WAV Steganography in Cross-Platform Credential Theft Campaign
Three days after compromising LiteLLM, TeamPCP published malicious Telnyx SDK versions to PyPI, using WAV audio steganography and split-file injection to steal credentials across Windows, Linux, and macOS.
Three days after compromising the LiteLLM AI proxy package, the threat actor known as TeamPCP struck again. On March 27, 2026, two malicious versions of the Telnyx Python SDK — a cloud communications library with over 700,000 downloads in February — were published to PyPI. The payload represents a clear shift in the campaign's tradecraft, combining WAV-embedded credential-stealing code via steganography, split-file code injection to evade visual inspection, and the campaign's first Windows-specific persistence mechanism. PyPI quarantined versions 4.87.1 and 4.87.2 at 10:13 UTC, following roughly 6.5 hours of exposure, according to the project's GitHub security advisory.
Attribution to TeamPCP is definitive. Trend Micro's analysis found multiple elements that are byte-for-byte identical to the LiteLLM payload: the RSA-4096 public key, the tpcp.tar.gz campaign ID, the X-Filename: tpcp.tar.gz exfiltration header, the OpenSSL encryption chain (rand + AES-256-CBC + RSA-OAEP + tar), the temporary file naming convention, and the subprocess stdin pipe execution pattern. This confirms reuse of the same toolchain. As of writing, researchers have not been able to determine how TeamPCP obtained the Telnyx project's PyPI publishing credentials; the project's GitHub advisory states that no workflow-level credential exposure was identified, and the PyPI trusted publisher (OIDC) was not configured.
The Telnyx variant improves on the LiteLLM payload by distributing its malicious components across three widely separated locations in _client.py. A Base64 decode wrapper function (_d()) is buried among legitimate imports; the Linux orchestrator and credential harvester appear as a 4,428-character Base64 string placed between __all__ and the class definition; and the Windows execution path with WAV steganography logic is appended after all legitimate classes at the end of the file. All sensitive strings in the Windows path are obfuscated using the _d() wrapper, which Base64-decodes strings at runtime — a departure from LiteLLM where strings remained in plaintext within the Base64-encoded payload.
The most significant change from the LiteLLM attack is that the Telnyx variant no longer embeds the credential harvester in the source code. Instead, it downloads the harvester at runtime, hidden inside structurally valid WAV audio files hosted on the command-and-control server. The extraction process reads the WAV file's raw audio frames using Python's wave module, Base64-decodes them, then splits the data: the first 8 bytes serve as an XOR key, while the remaining bytes constitute the XOR-encrypted payload. Each byte is XORed against the rotating 8-byte key to recover the cleartext. As a result, static analysis of the package source code reveals no harvester logic — the actual credential-stealing script exists only on the C&C server inside audio files that pass MIME-type validation as legitimate media.
Unlike the earlier LiteLLM incident, the Telnyx variant adds Windows support with Startup folder persistence alongside Linux and macOS execution. The Windows execution path uses msbuild.exe as a filename and leverages the Startup folder for persistence, ensuring the malware runs on every user login. This cross-platform credential theft campaign demonstrates the group's evolving tradecraft and abuse of trusted communication APIs. Any system that installed the affected versions should be treated as fully compromised; users are strongly advised to downgrade to the last known clean release, Telnyx 4.87.0, as soon as possible.
The TeamPCP campaign has been marked by a series of supply-chain attacks targeting widely used open-source packages. The group's ability to rapidly pivot from LiteLLM to Telnyx, while introducing significant evasion improvements, signals a mature and well-resourced operation. The use of audio steganography to hide payloads represents a notable escalation in stealth techniques, making detection by traditional static analysis tools far more difficult. Defenders should monitor for unusual PyPI package versions, unexpected WAV file downloads from C&C servers, and the specific indicators of compromise shared by Trend Micro in their full analysis.