Hackers Hid Malware Inside Audio Files in a Python Package With 740K Downloads

Hiding Malware in Audio Files

What makes this attack unusual is the delivery mechanism. Rather than embedding the malicious payload directly in the Python code, TeamPCP used steganography to hide it inside WAV audio files, a technique that makes the malware much harder for security scanners to detect.

On Linux and macOS systems, the compromised package downloads a file called "ringtone.wav" that contains an encrypted payload. The malware extracts the hidden code using XOR based decryption and executes it. On Windows, a different file called "hangup.wav" delivers an msbuild.exe payload that establishes persistence by placing itself in the Windows Startup folder with a 12 hour execution window.

The malicious code was injected into the _telnyx/_client.py file, the core client module that runs automatically whenever a developer imports the Telnyx library. All legitimate SDK functions continued to work normally, so developers would have no indication anything was wrong.

What the Malware Steals

The credential stealer targets the most sensitive assets on a developer's machine:

• SSH keys used to access servers and repositories
• Cloud tokens for AWS, GCP, and Azure services
• Environment variables containing API keys and database credentials
• Kubernetes cluster secrets
• Cryptocurrency wallet files
• Stored credentials from browsers and password managers

For a developer working on production systems, this represents complete access to their infrastructure. A single compromised developer laptop can cascade into access to deployment pipelines, customer databases, and cloud environments.

TeamPCP's Growing Campaign

This is not TeamPCP's first supply chain attack. The same threat actor previously compromised the LiteLLM AI library, which serves as a unified gateway for API keys to multiple AI providers. They also targeted the Trivy vulnerability scanner, turning a security tool into a malware delivery mechanism.

The pattern is consistent: TeamPCP targets widely used developer tools and libraries, compromises maintainer accounts or CI pipelines, and inserts payloads that execute silently during normal package usage. Each attack targets a different part of the development ecosystem, but the objective is always the same: harvest credentials that unlock access to production infrastructure.

Why Supply Chain Attacks Keep Working

Modern software depends on an enormous chain of third party packages. A typical Python project pulls in dozens of dependencies, each of which pulls in its own dependencies. Developers generally trust that the packages in official registries like PyPI are safe, and automated build systems install updates without manual review.

This trust is exactly what supply chain attacks exploit. When an attacker compromises a legitimate package, the malware arrives through the same trusted channel as every other update. Unlike phishing or social engineering, there is no suspicious email or unusual prompt. The developer simply runs pip install and the compromise is complete.

What to Do Now

Security researchers from Aikido, Socket, and Endor Labs all independently flagged the compromised package. If you use the Telnyx Python SDK, check your installed version immediately. Roll back to version 4.87.0 and rotate all credentials, SSH keys, cloud tokens, and API keys accessible from any system that imported the malicious versions.

More broadly, developers should pin package versions in production environments rather than automatically pulling the latest release. Tools like pip's --require-hashes flag and lock files can prevent unauthorized changes from reaching build systems. The few minutes of extra maintenance are insignificant compared to the cost of a complete credential compromise.