TeamPCP compromises Telnyx Python SDK on PyPI - malware hidden inside sound files

Hackers compromised the Telnyx Python SDK on PyPI and hid malware inside .wav sound files - disguised as audio to bypass security scanners. Versions 4.87.1 and 4.87.2 were poisoned - just importing the package triggers the attack. It grabs SSH keys, cloud credentials, and can hijack Kubernetes clusters. The malicious versions were live for about 6 hours before PyPI quarantined them.

Check

Audit your Python environments for the Telnyx package.

Affected

telnyx 4.87.1 and 4.87.2 on PyPI.

Fix

Downgrade to telnyx 4.87.0. Rotate all credentials on any system that ran the poisoned versions.