Signal
TeamPCP targets Telnyx PyPI package in ongoing supply chain attacks
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-03-26 22:28 UTCUpdated 2026-03-27 16:53 UTC
rss
cveexploitsmalwarethreat_actorssupply_chainincident_response
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
The threat actor TeamPCP has expanded its supply chain attack campaign by compromising the Telnyx Python package on PyPI. By publishing malicious versions 4.87.1 and 4.87.2, TeamPCP delivered credential-stealing malware concealed within WAV files.
Entities
TelnyxEndor LabsSocketLiteLLMTrivyVect ransomware
Score total
1.5
Momentum 24h
5
Posts
5
Origins
5
Source types
1
Duplicate ratio
0%
Why now
- TeamPCP’s recent activity includes multiple malicious package versions published on March 27, 2026, indicating an active and ongoing campaign.
- The rapid succession of attacks following the Trivy breach shows attackers exploiting stolen credentials to escalate supply chain compromises.
- New findings on the Telnyx package compromise highlight the evolving tactics of threat actors targeting software development tools.
Why it matters
- Supply chain attacks on popular development packages risk widespread credential theft and persistent malware infections.
- TeamPCP’s use of stolen credentials and sophisticated malware delivery methods increases the threat to software supply ecosystems.
- Developers and organizations relying on PyPI packages must urgently review and mitigate risks from compromised dependencies.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- TeamPCP compromised the Telnyx Python package on PyPI by publishing malicious versions 4.87.1 and 4.87.2 that steal credentials hidden in WAV files.
- TeamPCP exploited credentials stolen from the Trivy breach to push malware to the LiteLLM package on PyPI, exposing developers to credential theft and persistent backdoors.
How sources frame it
- Infosecurity Magazine: neutral
- The Hacker News: neutral
- Help Net Security: neutral
This cluster highlights a significant escalation in supply chain attacks by TeamPCP, targeting widely used Python packages with credential-stealing malware hidden in unconventional file formats.
All evidence
All evidence
TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files
The Hacker News · thehackernews.com · 2026-03-27 16:53 UTC
TeamPCP Targets Telnyx Package in Latest PyPI Software Supply Chain Attack
Infosecurity Magazine · infosecurity-magazine.com · 2026-03-27 15:06 UTC
TeamPCP Supply Chain Campaign: Update 002 - Telnyx PyPI Compromise, Vect Ransomware Mass Affiliate Program, and First Named Victim Claim, (Fri, Mar 27th)
SANS Internet Storm Center (Handler's Diary) · isc.sans.edu · 2026-03-27 14:22 UTC
TeamPCP strikes again: Backdoored Telnyx PyPI package delivers malware
Help Net Security · helpnetsecurity.com · 2026-03-27 13:46 UTC
LiteLLM Hit in Cascading Supply-Chain Attack
BankInfoSecurity · bankinfosecurity.com · 2026-03-26 22:28 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 5Origin domains: 5Duplicates: -
Showing 5 / 0
Top publishers (this list)
- The Hacker News (1)
- Infosecurity Magazine (1)
- SANS Internet Storm Center (Handler's Diary) (1)
- Help Net Security (1)
- BankInfoSecurity (1)
Top origin domains (this list)
- thehackernews.com (1)
- infosecurity-magazine.com (1)
- isc.sans.edu (1)
- helpnetsecurity.com (1)
- bankinfosecurity.com (1)