Telnyx Package on PyPI Compromised by TeamPCP Using WAV Steganography

Malicious versions (4.87.1, 4.87.2) of the Telnyx Python SDK were uploaded to PyPI, executing code upon import and functioning across platforms. The package retrieves a WAV file from a command-and-control (C2) server, decodes hidden payloads using base64 and XOR operations, and reconstructs the malicious code while appearing as valid audio. On Windows, it drops msbuild.exe into Startup for persistence, while Linux/macOS systems use a staged Python loader to fetch, decrypt, and execute a second-stage payload via stdin. The C2 server is located at 83.142.209.203:8080 with endpoints /hangup.wav and /ringtone.wav.