A supply chain attack hit the Telnyx Python SDK today. It also happened to hit uncomfortably close to home.
Before We Get Into It: Some Basics
Telnyx is a widely-used cloud communications platform that provides APIs for phone calls, SMS, MMS, and other telecom services. If you've ever used an automated phone system, a voice agent, or programmatic texting, there's a decent chance Telnyx was under the hood.
PyPI (the Python Package Index) is the official online repository where developers share and download software packages. Think of it as an app store, but for code that developers plug into their projects. When a developer runs pip install telnyx, they're pulling from PyPI.
TeamPCP is the threat group taking credit for this exploit. They didn't just hit Telnyx — they orchestrated a multi-stage campaign that started days earlier with other targets.
What Happened
On March 27, 2026, two unauthorized versions of the Telnyx Python SDK — versions 4.87.1 and 4.87.2 — were published to PyPI between 03:51 and 04:07 UTC. Both contained malicious code designed to steal credentials the moment the package was installed. You didn't even have to run any code — just installing it was enough.
But this wasn't a random drive-by. The Telnyx compromise was stage three of a coordinated attack chain:
Stage 1 — TeamPCP compromised an open-source vulnerability scanner, harvesting developer credentials and environment variables.
Stage 2 — A few days later, they targeted LiteLLM AI Gateway, a popular Python library for AI model integration. Their harvester swept environment variables, .env files, and shell histories from every system that imported it.
Stage 3 — Using publishing tokens harvested from the LiteLLM breach, TeamPCP pushed malicious versions of the official Telnyx SDK to PyPI. Stages 1 and 2 existed to enable stage 3.
This wasn't typosquatting — where an attacker publishes a similarly-named package hoping developers will mistype. This was a direct compromise of a legitimate, trusted package using stolen maintainer credentials. A significant escalation in sophistication, as researchers from Endor Labs noted.
What the Malicious Code Actually Did
The technical details here are genuinely alarming. The attackers embedded their payload inside the audio frame data of a valid WAV file — a creative and previously unseen technique designed to evade automated scanning.
Here's what the malware targeted by platform:
- Linux/macOS: SSH keys, cloud credentials, Docker/npm/Git/Vault authentication tokens, database credentials, environment configuration files, shell histories, and cryptocurrency wallet data
- Windows: Installation of a persistent executable
- Kubernetes clusters: Deployment of privileged pods across all nodes in
kube-system, mounting host root filesystems with elevated permissions to establish persistence directly on infrastructure
The compromised package was notably smaller than the legitimate version because the actual payload was fetched at runtime from a command-and-control server using a raw IP address. Researchers from Socket, Endor Labs, Aikido Security, and Wiz (now part of Google Cloud) independently identified the compromise and confirmed TeamPCP's fingerprints — including reuse of an RSA-4096 public key and the same AES-256-CBC + RSA OAEP encryption scheme from the LiteLLM attack.
Full Disclosure: This One Hit Close to Home
A lot of articles I write on this blog discuss cybersecurity events and the statistical fallout of various attacks. This one, however, hit uncomfortably close.
I had recently been looking into phone providers to find the cheapest option that would support cold calling — which turned out to be harder than you'd think. A surprising number of telecom providers expressly prohibit cold calling. They'll analyze your call patterns and boot you from their platform. I was genuinely surprised by this, given that cold calling is still a dominant part of how many salespeople do their jobs.
As my options narrowed, I started looking at less expensive providers. Compared to the price of Twilio, which can really spike on you — especially if you're doing a lot of outbound calling — I found Telnyx to be quite affordable. And that was honestly the driving factor behind why I went with their service.
You get what you pay for.
I spent about a day and a half working with their AI voice agent, tweaking its ability to speak in cohesive English, before realizing there was no way to fully remove the robot from the robot. I moved on to other elements of the project I was working on.
For three days leading up to this announcement, I was convinced my stack was compromised. Everything I checked kept coming back green, but the behavior of my service left me feeling otherwise. Finding out it was actually an attack is not as reassuring as you might think — but seeing Telnyx identify and respond to it within hours is at least better than them discovering it six months later and trying to cover it up.
What You Should Do If You Use Telnyx
Telnyx moved quickly. The malicious packages were quarantined by 10:13 UTC the same morning — roughly six hours after publication. Their platform, APIs, voice services, and infrastructure were not compromised. The incident was isolated to the PyPI distribution channel.
That said, if you installed or upgraded the Telnyx Python package between 03:51 and 10:13 UTC on March 27, 2026:
- Check your version: Run
pip show telnyxin your terminal. If you see version 4.87.1 or 4.87.2, treat your environment as compromised. - Downgrade immediately:
pip install telnyx==4.87.0 - Rotate everything: SSH keys, API keys, cloud credentials, database passwords — anything accessible from that environment.
- Audit for persistence: Check for unfamiliar executables, cron jobs, or Kubernetes pods you didn't create.
- Monitor outbound traffic: Look for connections to unfamiliar IP addresses.
A Note on Breach Notifications
When the email from Telnyx hit my inbox, I'll be honest — it looked spammy. That's actually a common reaction to legitimate breach notifications, and it's worth talking about.
Fraudsters regularly impersonate a company's support team after initiating an attack. It's a well-documented social engineering tactic. So when you receive a breach notification, your instinct to be skeptical is actually correct. But here's the thing: it might also be your only communication, because the company is now extremely busy dealing with a very serious problem.
Always verify independently. Don't click links in the email. Go directly to the company's website (type it in yourself), check their status page, and look for corroborating reports from security researchers or news outlets. In this case, I went to Telnyx's website — which was fully down — and then found independent confirmation from security firms Socket and Endor Labs.
The Takeaway
Supply chain attacks are not new. But the sophistication of this one — a three-stage campaign that compromised one tool to steal credentials to compromise another, culminating in a poisoned package from a trusted source — represents exactly the kind of threat that keeps security teams up at night.
For small and mid-size organizations that rely on third-party services (which is everyone), this is a reminder that your security posture extends well beyond your own walls. The tools you depend on, the packages you install, and the vendors you trust are all part of your attack surface.
Telnyx has said they'll provide additional guidance within 24 hours. A full technical postmortem is expected to follow.
Stay tuned to the One Guy Consulting Compliance Blog for updates as this story develops. I'm rather invested in their fix deployment, and when they spill the tea, you can bet our reporting will be here lickety-split following the announcement.
Sources: Infosecurity Magazine, Help Net Security, Telnyx Security Advisory Email (March 27, 2026)