Python Supply Chain Attacks Are Getting Smarter — And Your `pip install` Is the Battlefield

Author

Anthony

Security Researcher

Every time a developer runs pip install, they extend an implicit trust to the entire Python ecosystem. That trust is being systematically exploited — and the attacks are growing more sophisticated by the month.

I’ve spent years watching the security landscape evolve, and I’ll say it plainly: Python’s open package ecosystem is one of the most underdefended attack surfaces in modern software development. The recent wave of PyPI-targeted supply chain attacks isn’t a coincidence. It’s a coordinated, escalating offensive, and most development teams still aren’t treating it with the urgency it demands.

The Telnyx Attack Shows How Far Threat Actors Have Evolved

On March 27, 2026, a threat actor group known as TeamPCP compromised the official Telnyx Python SDK on PyPI — a package pulling over 740,000 downloads per month. They published two backdoored versions (4.87.1 and 4.87.2) within hours of each other, embedding credential-stealing malware inside a WAV audio file using steganography.

Let that sink in. Malicious code hidden inside audio data frames, extracted via XOR decryption, and executed entirely in memory. This isn’t script-kiddie territory — this is tradecraft. According to BleepingComputer, the payload targeted SSH keys, cloud tokens, cryptocurrency wallets, environment variables, and credentials on Linux and macOS. On Windows, it dropped a persistent executable into the Startup folder.

The malicious code lived inside _telnyx/_client.py and triggered automatically at import — meaning any developer who ran import telnyx was silently compromised at runtime. Researchers at Aikido, Socket, and Endor Labs independently caught the attack and attributed it to TeamPCP based on matching RSA keys and exfiltration patterns from prior incidents.

TeamPCP Is a Repeat Offender — And That’s the Real Warning Sign

What makes this particularly alarming isn’t the Telnyx attack in isolation. It’s the pattern. TeamPCP had already compromised LiteLLM, a popular open-source Python library, just three days prior. Before that, they breached Aqua Security’s Trivy vulnerability scanner, pushing infostealer malware through GitHub Actions.

This is a threat actor operating with persistence, tooling reuse, and clear intent. The same RSA key. The same exfiltration infrastructure. Different targets — but a consistent playbook of stealing publisher credentials to hijack trusted packages.

Endor Labs’ analysis confirmed this, noting the Telnyx compromise came just 72 hours after the LiteLLM incident. These aren’t opportunistic attacks. They’re a sustained campaign targeting the Python ecosystem’s most widely adopted packages.

The implication is stark: if your organization uses popular Python SDKs — and virtually every engineering team does — you are a downstream target whether you know it or not.

PyPI’s Trust Model Is Fundamentally Broken for Enterprise Use

Here’s the uncomfortable truth nobody in the open-source community wants to say out loud: PyPI was designed for accessibility, not security. The default trust model assumes that a package published under a legitimate account name is safe. That assumption collapses entirely the moment an attacker steals a maintainer’s credentials.

PyPI has made progress — mandatory two-factor authentication for critical projects, Trusted Publishers via OIDC, and faster malicious package removal. But these measures are reactive by design. The Telnyx backdoor was live and serving malicious payloads before any automated system caught it.

The broader ecosystem problem is one of scale. PyPI hosts over 500,000 packages. Malicious packages — whether typosquats, dependency confusion attacks, or compromised legitimate packages — regularly slip through. In 2023 alone, researchers identified thousands of malicious PyPI packages in a single coordinated campaign, according to Checkmarx’s threat research team. The volume makes comprehensive manual review impossible.

The enterprise-grade answer isn’t to trust PyPI’s security alone. It’s to build internal controls that assume packages can be compromised at any time.

What Engineering Teams Must Do Differently Right Now

The standard advice — pin your dependencies, review changelogs, use lock files — is necessary but no longer sufficient. Teams need to operate with a fundamentally different posture.

First, implement private package mirrors with hash verification. Tools like Artifactory or AWS CodeArtifact let you control exactly which package versions enter your environment, with cryptographic verification of integrity. A compromised PyPI version never reaches your developers.

Second, treat runtime package imports as potential threat vectors. Behavioral monitoring tools that flag unusual process spawning, outbound network calls, or unexpected file writes during import can catch attacks like the Telnyx compromise before exfiltration completes.

Third, rotate secrets aggressively after any suspected exposure. Endor Labs explicitly warned that any system that imported Telnyx 4.87.1 or 4.87.2 should be treated as fully compromised. In practice, many teams won’t audit their dependency logs until it’s too late.

The Takeaway: Trust Is a Vulnerability

The Python ecosystem’s greatest strength — its openness and collaborative abundance — is also its most exploitable weakness. Supply chain attacks against PyPI aren’t an emerging threat. They’re an active, ongoing, and accelerating campaign.

TeamPCP alone has compromised multiple high-profile packages within weeks. The sophistication is increasing. The detection windows are shrinking. And the blast radius of a single compromised package with 740,000 monthly downloads is almost impossible to fully quantify.

Stop treating pip install as a routine action. Start treating every dependency as a potential entry point. The organizations that build layered supply chain defenses today will be the ones that don’t spend next quarter doing incident response.