TeamPCP Is Running a Supply Chain Blitz — And Your CI/CD Pipeline Is the Target

The attack you're probably not patching for right now: a threat group called TeamPCP has been systematically backdooring Python packages on PyPI, one after another, for the past two weeks. The Telnyx Python SDK was the latest hit. LiteLLM before that. Trivy before that. And more than 46 npm packages in between.

This isn't opportunistic. It's a coordinated campaign, and it's accelerating.

What Happened with Telnyx

On March 27, 2026 at approximately 03:51 UTC, TeamPCP published two malicious versions of the Telnyx Python SDK — 4.87.1 and 4.87.2 — directly to PyPI. The legitimate Telnyx GitHub repository still shows 4.87.0 as the latest tagged release. Someone had hijacked a PyPI publishing token and used it outside the official CI/CD pipeline.

Both versions stayed live for roughly four hours before PyPI quarantined them.

Four hours is a long time. The Telnyx SDK pulls in between 670,000 and 750,000 downloads per month. Any developer, pipeline, or containerized service that ran a routine package install during that window may have gotten hit — with no warning, no error, and no visible indication that anything was wrong.

How the Attack Works

TeamPCP's modification was surgical. Only a single file, `_client.py`, was changed. Everything else in the package was byte-for-byte identical to the clean 4.87.0 release, including all RECORD hashes. Because the attacker used a legitimately hijacked PyPI token and Telnyx's own build tooling, standard integrity controls — `pip install --require-hashes`, lockfile-based workflows — would not have caught it.

The malicious code executed the moment any application imported the library. No clicks. No interaction. No configuration.

The infection chain ran in three stages:

1. Platform-specific loader — detects the OS, quietly exits if it's not a target
2. Payload retrieval — reaches out to an attacker-controlled server and fetches a hidden payload concealed inside a WAV audio file using steganography
3. Credential harvest — deploys a full infostealer targeting SSH keys, cloud provider credentials (AWS, GCP, Azure), Kubernetes secrets, database configs, cryptocurrency wallets, and `.env` files

The harvester encrypts everything and ships it to a C2 server. On Kubernetes deployments, it can spread cluster-wide by deploying privileged pods onto every node.

This works on Linux, macOS, and Windows. Trend Micro's analysis notes that the Windows path adds persistence mechanisms not present in the earlier LiteLLM version of the attack — a sign TeamPCP is iterating and improving between campaigns.

The Bigger Picture

The Telnyx compromise is the most complete execution of a pattern that's been playing out since at least February 28, when TeamPCP first gained a foothold by stealing a token from a misconfigured GitHub Action on the Trivy project — the open-source container vulnerability scanner from Aqua Security.

From there, the campaign expanded fast:

• Trivy: Security scanner turned into a credential-theft vehicle across CI/CD pipelines. Researchers at the OSINT Team estimated more than 500,000 machines hit, with approximately 300GB of data exfiltrated.
• Checkmarx: Security tooling compromised.
• LiteLLM: AI gateway package with approximately 95 million monthly downloads exposed. Discovered by Endor Labs researchers.
• 46+ npm packages: Same credential-theft objective, different ecosystem.
• Telnyx Python SDK: The latest, and based on Trend Micro's analysis, the most technically sophisticated version yet.

The threat actor is linked to TeamTNT, a group known for targeting cloud infrastructure and container environments. This campaign represents a significant escalation in sophistication — the steganographic payload delivery is new, and the cross-OS support suggests real engineering investment.

If You Run Python Packages in CI/CD, Act Now

If any of your systems installed `telnyx==4.87.1` or `telnyx==4.87.2`, treat them as compromised. Same applies if you've run Trivy, LiteLLM, or Checkmarx packages in the affected timeframe.

Immediate steps:

• Audit your package installs: Check `pip freeze` and build logs for versions 4.87.1 or 4.87.2 of `telnyx`, and any LiteLLM versions flagged by Endor Labs
• Rotate everything: SSH keys, AWS/GCP/Azure credentials, database passwords, API tokens, anything that lived on affected systems
• Review Kubernetes access: If compromised code ran in a container with cluster access, audit RBAC and look for unauthorized pod creation
• Block C2 infrastructure: Threat intelligence from Hexastrike includes indicators of compromise for the TeamPCP command-and-control servers — pull these and check your egress logs
• Lock down PyPI tokens: Publishing tokens should be scoped to specific packages and rotated regularly; this attack worked because a token with publish rights was exposed

The Trust Problem

The uncomfortable truth this campaign exposes: the open-source supply chain operates on implicit trust, and that trust is being systematically weaponized.

Developers install packages because they trust PyPI. Security tools like Trivy get embedded in pipelines because they're trusted by default. When a threat actor hijacks that trust — a legitimate token, a legitimate build, a file that passes hash verification — the entire model breaks down.

The answer isn't to stop using open-source packages. It's to stop trusting the package ecosystem as if it were a hardened supply chain. Signed SBOMs, policy enforcement at install time, egress monitoring for build environments, and short-lived publishing tokens are not optional extras at this point. They're table stakes.

TeamPCP has shown they can move fast — Trivy to Telnyx in under a month, with multiple targets in between. Assume they're not done.

*Sources: SecurityWeek, Cybersecurity News, GBHackers, Trend Micro Research, Hackread, Hexastrike Threat Intelligence, Endor Labs*