TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files
Why it matters: This highlights critical vulnerabilities in open-source supply chains, demanding urgent security enhancements.
- TeamPCP is identified as the threat actor responsible for this latest supply chain attack.
- Two malicious versions (4.87.1 and 4.87.2) of the telnyx Python package were published to PyPI.
- The attack aims to steal sensitive data, continuing TeamPCP's pattern of targeting open-source projects.
TeamPCP, a known threat actor, has expanded its supply chain attacks by compromising the telnyx Python package on PyPI, pushing two malicious versions (4.87.1 and 4.87.2) designed to steal sensitive data. This incident follows their previous targeting of Trivy, KICS, and litellm, indicating a persistent and evolving threat to open-source software supply chains.
