Telnyx package compromised on PyPI

Summary

This morning's telnyx compromise is the latest move in what is now a weeks-long TeamPCP supply chain campaign crossing multiple ecosystems. Trivy. Checkmarx. LiteLLM. And now Telnyx on PyPI, uploaded hours ago at 03:51 UTC on March 27.The pattern is consistent: steal credentials from a trusted security tool, use those credentials to push malicious versions of whatever that tool had access to, collect whatever's running in the next environment, repeat.Where This Fits in the CampaignA quick recap of what TeamPCP has done over the past two weeks:March 19: Trivy compromised. Aqua Security's open source vulnerability scanner was backdoored, resulting in CVE-2026-33634 (CVSS 9.4). Attackers exfiltrated credentials from every CI/CD pipeline running Trivy without version pinning. 44 Aqua Security GitHub repositories were renamed with the prefix tpcp-docs- and the description "TeamPCP Owns Aqua Security."March 20: CanisterWorm hits npm. Using stolen tokens from Trivy users, TeamPCP published the CanisterWorm backdoor across 46+ npm packages including scopes like @EmilGroup and @opengov. The worm automated token-to-compromise: given one stolen npm token, it enumerated all publishable packages, bumped versions, and published across the entire scope in under 60 seconds. March 22: I first observed TeamPCP using WAV steganography to deliver payloads in their Kubernetes wiper variant. I flagged it on Twitter at the time: "TeamPCP is now embedding their malware in .wav files."March 23: Checkmarx. The kics-github-action and ast-github-action GitHub Actions were compromised, along with two OpenVSX extensions (cx-dev-assist 1.7.0 and ast-results 2.53.0). The payload used a new C2 domain, checkmarx[.]zone, impersonating the Checkmarx brand. 35 tags were hijacked between 12:58 and 16:50 UTC; malicious code was removed three hours later.March 24: LiteLLM. Versions 1.82.7 and 1.82.8 of the LiteLLM PyPI package were published using credentials stolen from LiteLLM's CI/CD pipeline, which ra...