{ "Event": { "analysis": "1", "date": "2026-03-27", "extends_uuid": "", "info": "[Threat Intel] Telnyx Python SDK Compromised to Deliver Credential-Stealing Malware", "protected": false, "publish_timestamp": "1775900438", "published": true, "threat_level_id": "2", "timestamp": "1775900438", "uuid": "1013f745-e27a-4455-b3a3-664cb44a07e4", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#56c932", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Vulnerabilities - T1588.006\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#f4a1a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Code Signing Policy Modification - T1553.006\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration to Code Repository - T1567.001\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#7d37d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"", "relationship_type": "" }, { "colour": "#177374", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Encoding - T1132.002\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774868411", "to_ids": false, "type": "link", "uuid": "8b72eb6e-9a73-4223-874a-b653942cdb0a", "value": "https://socket.dev/blog/telnyx-python-sdk-compromised", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774868411", "to_ids": false, "type": "text", "uuid": "f7881e75-f150-48e9-9a49-ed672e40c512", "value": "A supply chain attack affecting the telnyx Python package on PyPI has been identified. Malicious versions 4.87.1 and 4.87.2 contained embedded credential-harvesting malware. The attack employs a three-stage runtime chain on Linux/macOS using audio steganography for delivery, in-memory execution of a data harvester, and encrypted exfiltration. On Windows, it drops a persistent binary in the Startup folder. The malware uses sophisticated techniques including fileless execution, hybrid encryption, and anti-forensics measures. The threat actor, TeamPCP, demonstrates high operational security and cryptographic awareness. Developers are advised to audit environments, rotate credentials, and check for indicators of compromise." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774868411", "to_ids": false, "type": "text", "uuid": "d51ab396-58d3-4ccc-a452-7848724620bc", "value": "Name: Telnyx Python SDK Compromised to Deliver Credential-Stealing Malware\nAuthor: AlienVault\nAdversary: TeamPCP\nTags: [\"telnyx\", \"supply-chain-attack\", \"hybrid-encryption\", \"fileless-execution\", \"steganography\", \"credential-harvesting\", \"pypi\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1132.001\", \"T1204.002\", \"T1573.001\", \"T1588.006\", \"T1140\", \"T1555\", \"T1553.006\", \"T1567.001\", \"T1571\", \"T1027\", \"T1059.006\", \"T1132.002\", \"T1027.002\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1774868411", "to_ids": false, "type": "threat-actor", "uuid": "e38f4a4c-e53f-4e21-8dad-c785ad4198b9", "value": "TeamPCP" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775888954", "to_ids": true, "type": "ip-dst", "uuid": "a95a98ae-d7cf-473c-9334-bcb0fa31cb41", "value": "83.142.209.203", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775888975", "to_ids": true, "type": "url", "uuid": "cca05879-6404-4580-8a00-2eec5014d065", "value": "http://83.142.209.203:8080/ringtone.wav", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775888997", "to_ids": true, "type": "url", "uuid": "ebb10ee0-341d-4793-8b42-3d5ca9853622", "value": "http://83.142.209.203:8080/hangup.wav", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 8080", "deleted": false, "disable_correlation": false, "timestamp": "1775881057", "to_ids": true, "type": "ip-dst|port", "uuid": "3cd677ac-8cd9-452e-98d9-f82fc153d483", "value": "83.142.209.203|8080" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775889018", "to_ids": true, "type": "url", "uuid": "e78f9741-0548-4117-a351-c2fb9764a350", "value": "http://83.142.209.203:8080/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }