Skip to content
.ca
sign in
6 mincritical

The Telnyx PyPI Compromise and the 2026 TeamPCP Supply Chain Attacks

Threat actor TeamPCP orchestrated a cascading supply chain attack by exploiting a misconfigured GitHub Actions workflow in Aqua Security's Trivy, harvesting credentials to compromise subsequent repositories including Checkmarx, LiteLLM, and Telnyx. The malicious packages deploy sophisticated, OS-specific remote access trojans (RATs) that utilize steganography, process hollowing, and ETW patching to evade detection while exfiltrating sensitive data.

Sens:ImmediateConf:highAnalyzed:2026-03-30reports

Authors: Akamai Security Intelligence Group

ActorsTeamPCPVect
Supply Chain AttackCredential TheftTeamPCPRATPyPI

Source:Akamai

IOCs · 2

Key Takeaways

  • Threat actor TeamPCP compromised multiple open-source repositories (Trivy, Checkmarx, LiteLLM, Telnyx) in a cascading supply chain attack.
  • The initial access vector was a misconfigured pull_request_target workflow in Trivy's GitHub Actions, leading to massive credential theft.
  • The malicious Telnyx payload uses OS-specific execution, downloading a steganographic WAV file that decodes into a Remote Access Trojan (RAT).
  • Windows payloads utilize process hollowing into dllhost.exe, direct syscalls, and ETW patching to evade detection.
  • Ransomware group Vect has partnered with TeamPCP, indicating a potential shift from credential theft to large-scale extortion.

Affected Systems

  • Trivy GitHub Actions
  • Checkmarx KICS (ast-result v2.53.0, cx-dev-assist 1.7.0)
  • LiteLLM (PyPI v1.82.7, v1.82.8)
  • Telnyx (PyPI v8.47.1, v8.47.2 / v4.87.1, v4.87.2)
  • Windows OS
  • Linux OS

Vulnerabilities (CVEs)

  • Misconfigured pull_request_target workflow in GitHub Actions

Attack Chain

The attack begins with the installation of a compromised PyPI or GitHub package (e.g., Telnyx). Upon execution, a malicious Python script (_client.py) downloads an OS-specific WAV file from the C2 server, decodes it using an XOR key, and executes the payload. On Linux, it encrypts collected data using AES and RSA before exfiltrating it via curl. On Windows, it executes msbuild.exe, which uses process hollowing to inject a steganographically hidden shellcode RAT into dllhost.exe, establishing C2 communication for further commands.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Akamai Guardicore Segmentation Insight

The article provides an Akamai Guardicore Segmentation Insight SQL query to identify endpoints with the malicious Python packages installed.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions should easily detect process hollowing into dllhost.exe, ETW tampering, and suspicious child processes spawned by Python (e.g., msbuild.exe, openssl, curl). Network Visibility: Medium — Network monitoring can detect the downloading of WAV files and the exfiltration of tpcp.tar.gz via HTTP POST, though the C2 traffic itself may blend in if not inspecting payloads. Detection Difficulty: Moderate — While the initial supply chain compromise is hard to detect, the post-exploitation behaviors (process hollowing, curl exfiltration, ETW patching) are well-known and highly detectable by modern EDRs.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon Event ID 1)
  • Network Connections (Sysmon Event ID 3)
  • Process Access (Sysmon Event ID 10)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for Python processes spawning msbuild.exe, which is highly unusual and indicative of the Windows loader execution.Process CreationExecutionLow
Search for msbuild.exe spawning dllhost.exe or injecting code into it, indicating process hollowing.Process Creation / Process AccessDefense EvasionLow
Identify Python processes executing openssl and tar commands in rapid succession followed by a curl POST request, matching the Linux exfiltration chain.Process CreationExfiltrationLow
Monitor for HTTP POST requests containing the header 'X-Filename: tpcp.tar.gz', which is a direct indicator of the Linux payload exfiltration.Network Traffic / Proxy LogsExfiltrationLow

Control Gaps

  • CI/CD Pipeline Security
  • Third-party dependency scanning

Key Behavioral Indicators

  • Python spawning msbuild.exe
  • msbuild.exe patching ETW
  • dllhost.exe making external network connections to non-Microsoft IPs
  • curl POST requests with X-Filename headers

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Downgrade LiteLLM to versions prior to 1.82.7 and Telnyx to versions prior to 8.47.1/4.87.1.
  • Rotate all credentials, API keys, SSH keys, and cloud tokens on any machine that ran the infected packages.
  • Block network traffic to 83.142.209.203, checkmarx.zone, and models.litellm.cloud.

Infrastructure Hardening

  • Implement network segmentation to restrict outbound traffic from CI/CD pipelines and production workloads to only necessary endpoints.
  • Enforce least privilege for GitHub Actions workflows, specifically avoiding misconfigured pull_request_target triggers.

User Protection

  • Deploy EDR solutions capable of detecting process hollowing and ETW tampering on developer workstations.

Security Awareness

  • Educate developers on the risks of supply chain attacks and the importance of verifying package integrity before updating.

MITRE ATT&CK Mapping

  • T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  • T1059.006 - Command and Scripting Interpreter: Python
  • T1027.003 - Obfuscated Files or Information: Steganography
  • T1055.012 - Process Injection: Process Hollowing
  • T1562.006 - Impair Defenses: Indicator Blocking
  • T1140 - Deobfuscate/Decode Files or Information
  • T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
  • T1552.004 - Unsecured Credentials: Private Keys

Additional IOCs

  • Ips:
    • 83[.]142[.]209[.]203 - C2 server for Telnyx payload
  • Domains:
    • checkmarx[.]zone - LiteLLM stealer exfiltration domain
    • models[.]litellm[.]cloud - LiteLLM stealer exfiltration domain
  • Urls:
    • hxxp://83[.]142[.]209[.]203:8080/ - Exfiltration endpoint for Linux payload
  • File Paths:
    • tpcp.tar.gz - Archive containing encrypted collected data and session key on Linux
    • _client.py - Malicious Python script embedded in the compromised Telnyx package
    • dllhost.exe - Target process for hollowing on Windows
  • Command Lines:
    • Purpose: Generate AES-256 session key | Tools: openssl | Stage: Execution/Encryption | openssl rand -out
    • Purpose: Encrypt collected data with AES-256-CBC | Tools: openssl | Stage: Encryption | openssl enc -aes-256-cbc -in
    • Purpose: Encrypt session key with RSA public key | Tools: openssl | Stage: Encryption | openssl pkeyutl -encrypt -pubin -inkey
    • Purpose: Archive encrypted data and key | Tools: tar | Stage: Collection | tar -czf
    • Purpose: Exfiltrate archive to C2 | Tools: curl | Stage: Exfiltration | curl -s -o /dev/null -w %{http_code} -X POST
    • Purpose: Execute MSBuild silently | Tools: msbuild.exe, python | Stage: Execution | subprocess.Popen([p], creationflags=0x08000000)
  • Other:
    • 33 1a b9 c0 32 cf 95 c8 9d 87 7e e0 5b 46 f8 d8 - RC4 key used to decrypt the shellcode config blob

Related