On March 27, 2026, attackers hijacked PyPI credentials for the telnyx Python package—a library for Telnyx’s voice and messaging APIs—and pushed out versions 4.87.1 and 4.87.2 laced with credential-stealing malware. These hit PyPI directly, skipping the project’s GitHub repo entirely. Version 4.87.1 flopped due to a capitalization typo, but 4.87.2 worked fully. PyPI yanked both by 10:13 UTC, after a roughly six-hour exposure window. If you pulled telnyx unpinned during that slice—03:51 to 10:13 UTC—you likely got hit.
This matters because the malware doesn’t mess around: it grabs SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes tokens, Docker configs, .env files, database creds, and even crypto wallets. On Linux/macOS, it hides payloads in WAV files via steganography, persists via detached subprocesses, and—if it snags K8s access—spins up privileged pods across nodes for lateral spread. Windows victims get a fake msbuild.exe dropped in the Startup folder. Everything exfils encrypted (AES-256-CBC + RSA-4096) to a command-and-control server. Supply-chain attacks like this expose thousands of devs and infra; one stolen AWS key can rack up six-figure bills or worse, full breaches.
Who Got Burned
You’re vulnerable if you ran pip install telnyx (or pip upgrade) without version pins between those hours, or if a dependency yanked in telnyx transitively. No pins? Pip grabs latest—bam, malware. Installed pre-2026-03-27 and skipped upgrades? Safe. Building from GitHub source? Also clean, since the repo stayed legit.
PyPI’s response clocked in fast—six hours—but that’s an eternity in auto-deploy pipelines. CI/CD rigs, Lambda functions, or Docker images built in that window now harbor backdoors. Telnyx users span comms apps, bots, and enterprise telephony; compromised creds mean attackers pivot to SMS bombing, call spoofing, or chaining into customer data. Broader context: PyPI sees dozens of these yearly (recall cryptography’s 2023 incident or endless typosquatting). Credential stuffing on PyPI accounts is rampant—use API tokens sparingly, rotate them, and enable 2FA.
How the Attack Unfolded
Attackers scored the project’s PyPI API token, then uploaded tampered wheels and sdists. No GitHub commits trace back—pure bypass. In telnyx/_client.py, they injected 74 lines that fire on import. Linux/macOS flow: spawn subprocess, fetch stego’d WAV from C2, decrypt, harvest creds, optionally infest K8s, encrypt loot, phone home. Windows: snag binary from WAV, persist as msbuild.exe, run hidden.
Version 4.87.1 bombed with Setup() (should be lowercase), triggering NameError—attacker fixed it 16 minutes later in 4.87.2. Skeptical take: quick iteration shows pros at work, but the typo bought time. PyPI quarantine severed downloads, but cached installs or air-gapped pulls persist.
Lock It Down
Verify now:
pip show telnyx | grep Version
pip cache list | grep telnyxIf 4.87.1/4.87.2 shows, uninstall: pip uninstall telnyx. Reinstall safe 4.87.0—verify these SHA-256 hashes:
telnyx-4.87.0-py3-none-any.whl: 5aeb8172c29ade224e6c2d166713f304596aa21e3dbfa5b6b2b028e6997f6bd2
telnyx-4.87.0.tar.gz: 3f093a85c313c2b779594f99fc07f453f1a7fd8785878d963688c531ff94d03aPins are your shield: telnyx==4.87.0 in requirements.txt. Audit deps with pip-audit or Safety CLI. Scan hosts for anomalies—stray msbuild.exe, odd K8s pods, C2 traffic. Rotate all harvested cred types. Long-term: MFA on PyPI, short-lived tokens, reproducible builds from source. This incident underscores PyPI’s fragility—mimic npm’s lockfiles, but better, own your deps.
Telnyx confirmed no repo compromise; they’re rotating tokens. Devs, treat PyPI like a hot zone: verify, pin, audit. One slip, and your infra’s a piñata.
