TeamPCP hackers planted malicious code in tainted Telnyx Python SDK versions using a fake ringtone file to steal credentials, crypto wallets, and keys.
A relatively new group of hackers known as TeamPCP has struck again, this time targeting the popular communication platform Telnyx. This latest move follows a string of interconnected cyberattacks reported by Wiz Research and Checkmarx just last week, including a breach of the Trivy security tool on 19 March 2026.
As Hackread.com recently reported regarding the Trivy incident, this group is becoming notorious for supply chain attacks, a method where hackers sneak malicious code into trusted software to infect users automatically.
According to researchers at OX Security, who shared their findings with Hackread.com, the group uploaded two ‘tainted versions’ of the Telnyx Python library (4.87.1 and 4.87.2) on the morning of 27 March 2026. These libraries are essential building blocks for apps, and with over 700,000 monthly downloads, the potential for damage is high.
The Fake Audio Trick
As per OX Security’s investigation, the hackers used a clever disguise of hiding their code inside a file called _client.py, which was programmed to download a harmless-looking file named ringtone.wav from a remote server.
For your information, this audio file was actually a scrambled program. Once it landed on a computer, it began hunting for sensitive data, including SSH keys (digital master keys), cryptocurrency wallets like Bitcoin and Ethereum, and credentials for Google Cloud and Azure. This is exactly like the attack on LiteLLM we reported earlier this week.
Is Your Data Safe?
Thankfully, Telnyx reacted quickly. Writing on X (Twitter), the company confirmed they have “solved the root cause” of the breach. Importantly, they confirmed that the Telnyx platform, voice services, messaging infrastructure, and AI inference were not affected. The company clarified that the SDK is a client library that has “no privileged access to Telnyx infrastructure,” and as a result, no customer data was accessed.
However, while their core phone networks and customer databases remained untouched, the risk is very real for developers. As researchers noted, the breach only affected those who ran the “pip install telnyx” command during the brief window the malicious files were live.
So, if you updated your software on 27 March, check your version immediately. If you are running 4.87.1 or 4.87.2, you are at risk. The advice from experts is simple- revert to version 4.87.0 and, as researchers urged, “rotate all keys and secrets immediately” to ensure hackers cannot use any stolen login details.
Deeba Ahmed
