News
TeamPCP claims Telnyx data breach affecting PyPI software package
BlogBreachesResourcesNews
TeamPCP claims Telnyx data breach affecting PyPI software package

TeamPCP claims Telnyx data breach affecting PyPI software package

UpGuard Team
UpGuard Team
March 27, 2026

Key facts: Telnyx data breach

Date occurred: March 27, 2026

Date discovered: March 27, 2026

Date reported: March 27, 2026

Target entity: Telnyx

Source of breach: Hacking group TeamPCP

Data types: SSH keys, cloud credentials, Kubernetes tokens

Status: Confirmed; reported on March 27, 2026.

Severity: High; the incident involves the exfiltration of critical infrastructure credentials and aggressive malware targeting Kubernetes environments.

What happened in the Telnyx data breach?

Telnyx (telnyx.com) was the target of a high-severity supply chain attack reported on March 27, 2026. The hacking group TeamPCP compromised the company's Python Package Index (PyPI) project, which serves as a software development kit for the Telnyx AI Voice Agent service. According to researchers from Endor Labs, the attackers published backdoored versions (4.87.1 and 4.87.2) of the software package, likely using credentials harvested from a previous breach of LiteLLM.

The attack utilized a sophisticated delivery mechanism where a malicious payload was hidden within the audio frame data of a WAV file. This payload was designed to exfiltrate sensitive data, including SSH keys, cloud credentials, and Kubernetes tokens. The malware is particularly aggressive, attempting to deploy privileged pods to Kubernetes nodes to establish a persistent presence. Organizations using the compromised versions are facing a high-severity risk of full-environment compromise, as the stolen credentials could allow unauthorized access to sensitive cloud infrastructure.

Who is behind the incident?

TeamPCP is a hacking group known for conducting sophisticated supply chain attacks. The group recently targeted the Telnyx PyPI project by leveraging credentials likely obtained from a prior breach of LiteLLM. TeamPCP's methods involve advanced obfuscation techniques, their focus on Kubernetes environments and the exfiltration of administrative credentials suggests a high level of technical proficiency and an interest in compromising large-scale cloud infrastructures. The group continues to be active in targeting software development kits to reach downstream organizations.

Impact and risks for Telnyx customers

The primary risk for organizations that installed the compromised Telnyx PyPI versions is the total exposure of their cloud and containerized environments. The exfiltration of SSH keys and Kubernetes tokens provides attackers with the necessary credentials to gain deep, persistent access to internal systems. This could lead to further data theft, the disruption of critical services, or the deployment of additional malware across the network. Because the malware attempts to install implants on every node in a Kubernetes cluster, the scope of the potential impact is extensive.

Incidents of this nature typically require immediate and comprehensive remediation efforts. Affected organizations should treat any installation of the backdoored versions as a full-environment breach. Essential protective actions include the immediate rotation of all cloud and SSH credentials and a thorough audit of Kubernetes cluster configurations. Maintaining transparency regarding these incidents helps the broader security community identify and mitigate similar supply chain threats.

How to protect against similar security incidents

In response to the supply chain compromise of the Telnyx PyPI project, organizations must immediately secure their development pipelines and infrastructure to prevent further exploitation.

Identify and quarantine compromised packages. Scan all development and production environments for Telnyx PyPI package versions 4.87.1 and 4.87.2. Immediately isolate any systems where these versions were installed and treat them as compromised. Revert to a verified, secure version of the package and monitor for any unauthorized changes.

Perform a comprehensive credential rotation. Rotate all SSH keys, cloud service provider credentials, and API tokens used within the affected environments. Invalidate and reissue all Kubernetes service account tokens and secrets. Ensure that multi-factor authentication (MFA) is enforced across all administrative and developer accounts.

Audit Kubernetes and container environments. Inspect Kubernetes clusters for unauthorized privileged pods or unusual node-level activity. Use runtime security tools to detect anomalous behavior or persistence mechanisms within containerized workloads. Review cloud audit logs for any suspicious API calls or access patterns originating from the compromised timeframe.

Enhance supply chain and attack surface monitoring. Implement automated software composition analysis (SCA) to detect malicious or backdoored dependencies in real-time. Deploy continuous attack surface management to monitor for unauthorized changes to external-facing assets. Establish a strict policy for verifying the integrity of third-party software packages before deployment.

Rapid identification and the immediate rotation of sensitive credentials are the most effective ways to mitigate the impact of this supply chain attack.

Frequently asked questions

What happened in the Telnyx security breach?

TeamPCP claimed responsibility for a security attack on Telnyx (telnyx.com) in March 2026. The incident was first reported on March 27, 2026.

When did the Telnyx breach occur?

The Telnyx breach was publicly reported on March 27, 2026. TeamPCP referenced the incident around that time, but the attack may have occurred earlier.

What data was exposed?

The types of data involved in the Telnyx incident include SSH keys, cloud credentials, and Kubernetes tokens. TeamPCP reportedly exfiltrated these categories of sensitive information using backdoored software packages.

Is my personal information at risk?

If you interacted with Telnyx's PyPI packages, there's a possibility your infrastructure credentials could be affected. Similar incidents often involve SSH keys, cloud access tokens, or Kubernetes secrets. Stay alert for updates and take precautionary measures to secure your accounts.

What steps should companies take after being breached?

Organizations should secure systems by quarantining affected package versions, notifying relevant stakeholders, and rotating all potentially exposed credentials. It is also recommended to review security measures and deploy attack surface management to detect future supply chain threats.

Sources

TeamPCP Claims Data Breach on Telnyx

This cybersecurity news article is powered by UpGuard Breach Risk — continuous attack surface monitoring for your organisation and supply chain.

How secure is ?

  • Check icon
    View our free preliminary report on ’s security posture
  • Check icon
    13 risk factors, including email security, SSL, DNS health, open ports and common vulnerabilities
View 's score
View score
Security ratings
Deliver icon

Sign up for our newsletter

UpGuard's monthly newsletter cuts through the noise and brings you what matters most: our breaking research, in-depth analysis of emerging threats, and actionable strategic insights.

Latest news

Stay up-to-date with the latest news in cybersecurity.
Qilin Ransomware claims Rocky Mountain Care data breach

Qilin Ransomware claims Rocky Mountain Care data breach

A data breach involving Rocky Mountain Care was reported in March 2026. See incident details, impact on customers, and recommended security measures.
UpGuard Team
UpGuard Team
March 29, 2026
Shwapno data breach: what happened and what's at risk

Shwapno data breach: what happened and what's at risk

A data breach involving Shwapno was reported in March 2026. See incident details, impact on customers, and recommended security measures.
UpGuard Team
UpGuard Team
March 27, 2026
CCHC Healthcare data breach: what happened and what's at risk

CCHC Healthcare data breach: what happened and what's at risk

A data breach involving CCHC Healthcare was reported in March 2026. See incident details, impact on customers, and recommended security measures.
UpGuard Team
UpGuard Team
March 27, 2026
Advantage Gold data breach exposes names and Social Security numbers

Advantage Gold data breach exposes names and Social Security numbers

A data breach involving Advantage Gold was reported in March 2026. See incident details, impact on customers, and recommended security measures.
UpGuard Team
UpGuard Team
March 27, 2026
Brock Built data breach: sensitive personal and financial information compromised

Brock Built data breach: sensitive personal and financial information compromised

A data breach involving Brock Built was reported in March 2026. See incident details, impact on customers, and recommended security measures.
UpGuard Team
UpGuard Team
March 27, 2026
CareCloud data breach: what happened and what's at risk

CareCloud data breach: what happened and what's at risk

A data breach involving CareCloud was reported in March 2026. See incident details, impact on customers, and recommended security measures.
UpGuard Team
UpGuard Team
March 28, 2026
View all news
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

Protect your organization

Get in touch or book a free demo.
Contact sales
Free demo
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Free score
Website Security scan resultsWebsite Security scan rating