Two malicious versions of the telnyx Python package (4.87.1 and 4.87.2) were published to PyPI on March 27, 2026, containing injected code in telnyx/_client.py. The payload uses steganography to hide a second-stage binary inside WAV files, then drops a persistent executable on Windows or harvests credentials on Linux/macOS. With ~1M downloads/month, this is a high-impact supply chain attack affecting any Python project that auto-updated the telnyx dependency.
Safety
The telnyx packages on PyPI have been compromised
Steganographic malware in compromised telnyx PyPI packages reached ~1M monthly downloads using hidden WAV payloads to establish persistence and steal credentials.
Friday, March 27, 2026 12:00 PM UTC2 MIN READSOURCE: LWN.netBY sys://pipeline
Tags
safety
/// RELATED