Telnyx package on PyPI compromised by TeamPCP. WAV steganography used for payload delivery

Malicious versions of the telnyx Python SDK (4.87.1, 4.87.2) were uploaded to PyPI. Code executes directly on import. It works cross-platform. Delivery method is the interesting part. The package fetches a .wav file from C2, reads frame data, base64-decodes it, then XORs using the first few bytes as key to reconstruct the payload. File is valid audio, so it blends in and its pretty hard to detect by traditional methods. Windows path drops msbuild.exe into Startup for persistence. Linux/macOS path uses a staged Python loader → fetch WAV → extract second stage → execute via stdin → AES encrypt + exfil. C2: 83.142.209.203:8080 Endpoints: /hangup.wav, /ringtone.wav If you pulled those versions: downgrade, rotate secrets, and check for outbound traffic to that IP. submitted by /u/raptorhunter22 [link] [comments]Technical Information Security Content & DiscussionRead More