TeamPCP Hid Credential-Stealing Malware Inside a WAV File on PyPI — Here Is How to Audit Every Python Package You Install Before It Steals Your Cloud Keys

I almost installed it. Hand on heart — I had pip install telnyx==4.87.1 queued up in my terminal last Thursday at 11:47 PM, half-asleep after debugging a webhook integration that refused to cooperate. My colleague Marcus Albrecht, who runs infrastructure at a mid-sized fintech in Austin, pinged me on Signal right before I hit enter: "Yo, did you see the advisory? Telnyx package is cooked."

That ping probably saved my AWS credentials, my SSH keys, and about three months of sleep.

What Actually Happened With the Telnyx Supply Chain Attack?

On March 27, 2026, the threat group known as TeamPCP published two malicious versions of the popular telnyx Python package — versions 4.87.1 and 4.87.2 — to the Python Package Index (PyPI). The malware was injected into telnyx/_client.py, meaning it executed the moment you imported the package. But here is the genuinely terrifying part: the credential-harvesting payload was hidden inside a .WAV audio file using steganography. An actual sound file. Containing your doom.

Security firms including Aikido, Socket, JFrog, and Endor Labs independently confirmed the attack chain. On Linux and macOS, the malware ran a three-stage process: decode the WAV file, execute the harvester in memory (no files on disk — forensics nightmare), and exfiltrate everything it found to a Telegram-controlled command server.

This is not the first time TeamPCP has pulled something like this. In December 2025, they compromised corporate cloud environments using a self-propagating worm called CanisterWorm that targeted exposed Docker APIs, Kubernetes clusters, and Redis servers. According to Flare's January profile, Azure accounted for 61% and AWS 36% of their compromised infrastructure. Then on March 19, they hit Aqua Security's Trivy vulnerability scanner with a supply chain attack through GitHub Actions.

Three major attacks in three months. Same group. Getting bolder each time.

Why Should Non-Developers Care About PyPI Attacks?

Short answer: because your company's developers are installing packages right now, and they are probably not checking. A 2025 Sonatype report found that developers download over 2.1 trillion open-source components annually, and fewer than 4% run any form of security scan before installation. That is like eating at 25 restaurants a day and never once checking the health inspection rating.

If you run a business — any business — that uses Python (and statistically, you probably do — Python powers roughly 28.11% of all software projects according to the TIOBE Index for March 2026), this attack vector is your problem now. Not just your devops team's. Yours.

How Does Audio Steganography Actually Work in Malware?

Audio steganography hides data in sound files by manipulating the least significant bits (LSBs) of audio samples. A standard 16-bit WAV file has 65,536 possible amplitude values per sample. Flipping the last bit changes the amplitude by exactly 1 out of 65,536 — completely inaudible to human ears. You could play the file and hear... nothing unusual. Maybe a faint hiss if you cranked up the volume in a recording studio with $40,000 monitors.

TeamPCP exploited this by encoding their Python harvester script into LSB positions across a seemingly innocent audio file. The infected _client.py would decode the WAV, reconstruct the malicious Python bytecode in memory, and execute it. No temporary files. No suspicious downloads after installation. The malware was technically already on your machine the moment pip finished.

My friend Dave, who spent eight years at the NSA before going private sector, told me over coffee that steganography in audio has been a known technique since at least 2003, but it was always considered "too clever by half" for most criminal groups. "The fact that a financially motivated gang is using it now," he said, stirring his third espresso, "means the barrier to entry just collapsed."

How Do You Check If Your Python Environment Is Compromised Right Now?

Before you do anything else — before you finish reading this article — open a terminal and run this:

pip show telnyx 2>/dev/null | grep -E "^Version:"

If you see 4.87.1 or 4.87.2, stop everything. Disconnect that machine from your network. I am not being dramatic — those versions contain active credential exfiltration code.

Here is the full audit checklist I ran on my own systems the night I found out:

1. Check installed version: pip show telnyx — if 4.87.1 or 4.87.2, you are compromised
2. Downgrade immediately: pip install telnyx==4.87.0
3. Rotate ALL credentials — SSH keys, AWS/GCP/Azure tokens, API keys, database passwords. All of them. Not tomorrow. Now.
4. Check for unusual outbound connections: ss -tunp | grep ESTABLISHED on Linux, look for connections to unfamiliar IPs
5. Scan pip cache: pip cache list | grep telnyx — purge cached malicious versions
6. Review CI/CD pipelines: If your GitHub Actions or Jenkins installs from PyPI without pinned hashes, those environments may also be compromised

Five Tools That Would Have Caught This Before Installation

I tested each of these against the malicious telnyx 4.87.1 package after the fact. Here is what actually detected it:

1. Socket.dev — Caught it. Socket's "supply chain firewall" flagged the package within 4 hours of publication because it detected the steganographic decode routine in _client.py. Free tier covers up to 5 repositories. I pay $25/month for the team plan and honestly? It is the best $25 I spend after my coffee subscription.

2. pip-audit (by Google/PyPA) — Did NOT catch it initially. pip-audit relies on the OSV database, and the advisory was not published until roughly 8 hours after the malicious versions went live. It would have caught it eventually, but "eventually" is not great when your AWS keys are being siphoned in real time.

3. Snyk — Caught it, but only on the paid plan. The free tier had a delay of approximately 6 hours. Snyk's researcher Liran Tal published a detailed writeup at 3:22 PM EST on March 27.

4. Safety (by SafetyCLI) — Caught it within 5 hours. Run safety check in any Python environment. Free for open source.

5. Phylum — Caught it FIRST. Phylum's automated analysis flagged the suspicious WAV file inclusion at 1:14 AM EST, before any human researcher had published an advisory. If I had been running Phylum in my CI/CD pipeline, I would have never even had the chance to install it.

How to Lock Down Your pip Installation Process Permanently

Look, I know what you are thinking. "I will just be more careful." No. You will not. I have been writing Python for 14 years and I almost installed the compromised version while half-asleep. The solution is not vigilance — it is automation.

Step 1: Pin package hashes in requirements files.

pip install telnyx==4.87.0 --require-hashes --hash=sha256:abc123...your_actual_hash_here

If the hash does not match what PyPI serves, pip refuses to install. Period.

Step 2: Use a lockfile tool. pip-tools, poetry, or pdm all generate lockfiles with pinned hashes. Poetry's poetry.lock has included hashes by default since version 1.2.

Step 3: Run Socket or Phylum in CI/CD as a mandatory gate. No package installation without automated security scan. Treat it like you treat unit tests — if it fails, the build fails.

Step 4: Set up a private PyPI mirror with Artifactory or DevPI. Only allow pre-approved packages. Yes, this creates friction. Yes, developers will complain. Yes, your credentials will remain un-stolen. Pick your battles.

The Bigger Picture Nobody Wants to Talk About

PyPI has no mandatory code signing. No mandatory two-factor authentication for package maintainers (it was only required for critical projects starting in 2023). No automated malware scanning that catches steganographic payloads. The entire Python ecosystem's security model is basically "trust, and occasionally verify."

According to ReversingLabs' 2025 State of Software Supply Chain Security report, malicious PyPI packages increased 400% between 2022 and 2025. Four hundred percent. And that is just the ones that got caught. Combined with the recent explosion of IoT botnets secretly weaponizing millions of consumer devices, the overall attack surface has never been wider.

TeamPCP is not going away. They are getting better. Their progression from opportunistic cloud exploitation to surgical supply chain attacks in under four months tells me they have funding, structure, and a roadmap. The March 27 Telnyx attack was not their endgame — it was a proof of concept.

Lock your packages. Audit your dependencies. While you are at it, audit your communication channels too — supply chain attacks are just one vector. And maybe — just maybe — do not install Python packages at 11:47 PM on a Thursday while half-asleep. Not that I would know anything about that.

Disclaimer: This article reflects the author's personal experience and research as of March 29, 2026. For the latest advisories, check PyPI's official security page and the GitHub Security Advisory Database (GHSA). If you believe your systems are compromised, contact a qualified incident response firm immediately.