🌮Tacosec

Platform Modules

CVE & SBOM Management

Live

Vulnerability detection, SBOM generation, secret scanning

CIS Validation

Coming Soon

Continuous CIS benchmark scoring for Linux, K8s & Windows

MDR + Detection

Coming Soon

Log ingestion, ruleset-based alerting, threat detection

3 modules — CVE & SBOM live, CIS and MDR coming soon

Get early access

Solutions across CVE management, CIS validation, MDR, and compliance

Talk to an expert
Back to Blog
Supply Chain

TeamPCP Compromises Telnyx on PyPI Using WAV Steganography

Taco TeamMarch 27, 20265 min read

By March 27, 2026, the threat actor group TeamPCP had been running an active supply chain campaign for over a week. The Telnyx Python SDK — around 742,000 downloads per month — became the latest victim when two malicious versions appeared on PyPI.

The Broader TeamPCP Campaign

This attack didn't happen in isolation. The timeline of TeamPCP activity shows a methodical escalation across ecosystems:

  • March 19: Trivy vulnerability scanner compromised (CVE-2026-33634, CVSS 9.4); 44 Aqua repositories renamed with a "tpcp-docs-" prefix
  • March 20: CanisterWorm deployed across 46+ npm packages using stolen tokens
  • March 22: WAV steganography observed in a Kubernetes wiper variant
  • March 23: Checkmarx GitHub Actions compromised; two OpenVSX extensions hijacked
  • March 24: LiteLLM versions 1.82.7 and 1.82.8 backdoored (95M monthly downloads)
  • March 27: Telnyx SDK hit

How the WAV Steganography Works

The malware payload is base64-encoded and embedded inside audio frame data within WAV files, disguising malicious content as a legitimate audio file. Content-based filters looking for obvious malware signatures miss it entirely.

Windows path: Downloads hangup.wav, decodes an XOR-obfuscated executable from it, drops the binary into the Windows Startup folder as msbuild.exe with a 12-hour re-drop cooldown.

Linux/macOS path: A hardcoded base64 second-stage Python script fetches ringtone.wav, decodes a third-stage credential collector, and pipes it for execution. Collected data is AES-256-CBC encrypted (wrapped in RSA-4096 OAEP), then exfiltrated as tpcp.tar.gz.

Indicators of Compromise

Malicious PyPI versions:

  • telnyx==4.87.1 — SHA256: 7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9
  • telnyx==4.87.2 — SHA256: cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3

Network:

  • C2 server: 83.142.209.203:8080
  • Windows payload URL: hxxp://83.142.209.203:8080/hangup.wav
  • Linux/macOS payload URL: hxxp://83.142.209.203:8080/ringtone.wav
  • Exfil POST header: X-Filename: tpcp.tar.gz

Windows persistence:

  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe.lock

Remediation

Pin Telnyx to version 4.87.0 or earlier and remove any installed 4.87.x versions immediately. Rotate all credentials accessible from the affected environment. On Windows, check for msbuild.exe in the Startup folder and monitor outbound connections to 83.142.209.203.

The WAV steganography approach represents a deliberate effort to evade signature-based detection. Tools that inspect package contents structurally — rather than just matching known hashes — are essential for catching this class of attack.

Back to Blog

Don't wait for the next incident to find out you're exposed.

Tacosec continuously monitors your dependencies, SBOMs, and infrastructure — so you know about vulnerabilities before attackers find them.

Get Started FreeTry Taco CLI →