Databricks Investigates TeamPCP Supply Chain Attack Linked to PyPI Breach
The threat group TeamPCP has compromised the official Telnyx Python SDK on PyPI, escalating an ongoing supply chain campaign. Notably, the attack follows earlier breaches involving Trivy, Checkmarx KICS, and LiteLLM.
According to a security notice from Telnyx, attackers published two malicious versions of the package, 4.87.1 and 4.87.2, on March 27. However, they bypassed GitHub entirely by using stolen credentials. Shortly after, PyPI identified the threat and quarantined both versions within hours.
Because the package supports telephony API integrations and records over 670,000 monthly downloads, the impact could extend widely. Furthermore, researchers believe the breach resulted from a credential cascade. Tokens stolen during the earlier LiteLLM compromise likely enabled direct access to the PyPI account.
Hidden Malware Technique Evades Detection
Instead of embedding malicious code directly, the attackers used a more advanced method. Specifically, they hid a 332-line credential harvester inside a valid WAV audio file retrieved at runtime. As a result, the payload avoided detection during static analysis.
“To any network monitoring system watching the wire, the application downloaded a ringtone,” researchers at Phoenix Security wrote. “The actual payload never exists on disk in the package and is not visible to any static analysis of the installed wheel.”
Additionally, researchers at Socket observed that the attack runs in a temporary directory and leaves minimal forensic evidence. On Windows systems, however, the malware establishes persistence by placing a disguised binary in the Startup folder. Consequently, this marks the first time the campaign has targeted Windows environments.
Credential Theft Expands to Cloud Systems
The attack focuses heavily on credential harvesting. For example, it extracts SSH keys, cloud credentials, Kubernetes configurations, database passwords, and shell histories. Moreover, when AWS credentials appear, the malware queries the Instance Metadata Service and retrieves sensitive data from Secrets Manager and Parameter Store.
As the campaign progresses, attackers are now using stolen credentials for further exploitation. According to Wiz, they are cloning repositories and accessing cloud services such as S3 and databases. Meanwhile, reports indicate that attackers validate credentials and move laterally across systems.
Databricks is also investigating a potential downstream compromise linked to these stolen credentials, although no official statement has been released.
Despite the breach, Telnyx confirmed that its core infrastructure and APIs remain secure. However, users who installed the affected versions during the exposure window should treat their systems as compromised. Therefore, they should rotate all credentials immediately to reduce further risk.
