TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM

AndyC 31 March 2026

The Telnyx compromise indicates a continued change in the techniques used in TeamPCP’s supply‑chain activity, with adjustments to tooling, delivery methods, and platform coverage.

TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM

TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM

The Telnyx compromise indicates a continued change in the techniques used in TeamPCP’s supply‑chain activity, with adjustments to tooling, delivery methods, and platform coverage. In just eight days, the actor has pivoted across security scanners, AI infrastructure, and now telecommunications tooling evolving their delivery from inline Base64 to .pth auto-execution, and ultimately to split-file WAV steganography, while also expanding from Linux-only to dual-platform targeting with Windows persistence.

The shift from HTTPS domains to plaintext HTTP on a raw IP address may signal mounting infrastructure pressure, but it simultaneously introduces a detection opportunity. In affected environments, indicators may include WAV file downloads from non‑media IP addresses over port 8080, unexpected msbuild.exe binaries in user Startup folders, outbound HTTP requests containing the X‑Filename: tpcp.tar.gz header, and file‑hiding activity such as attrib +h applied to .lock files.

As a precautionary measure, organizations should downgrade any installations of Telnyx 4.87.1 or 4.87.2 to the last known clean release (4.87.0) and treat systems that imported the affected versions as exposed. Organizations should also pin all PyPI dependencies by hash and closely monitor CI/CD environments for unexpected audio file downloads,

TrendAI Vision One™ is the industry-leading AI cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. 

TrendAI Vision One™ Threat Intelligence Hub 

TrendAI Vision One™ Threat Intelligence Hub provides the latest insights on emerging threats and threat actors, exclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed in the TrendAI Vision One™ platform. 

Emerging Threats:  TeamPCP Hits Telnyx: WAV Steganography and Windows Targeting

TeamPCP Hits Telnyx: WAV Steganography and Windows Targeting

TrendAI Vision One™ customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.  

Detects network connections to the campaign’s C&C server 

eventSubId:201 AND request:”*83.142.209.203*”

More hunting queries are available for TrendAI Vision One™ with Threat Intelligence Hub entitlement enabled. 

Indicators of Compromise (IoCs)

The indicators of compromise for this entry can be found here.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , ,

What do you feel about this?

More Stories

Incident responders, s’il vous plait: Invites lead to odd malware events

Incident responders, s’il vous plait: Invites lead to odd malware events

AndyC 31 March 2026
Iran-Linked Hackers Breach FBI Director Kash Patel’s Email, Leak Messages Online

Iran-Linked Hackers Breach FBI Director Kash Patel’s Email, Leak Messages Online

AndyC 31 March 2026
AI Upgrades, Security Breaches, and Industry Shifts Define This Week in Tech

AI Upgrades, Security Breaches, and Industry Shifts Define This Week in Tech

AndyC 28 March 2026
Google Issues High-Risk Security Patch for 3.5 Billion Chrome Users: What You Need to Know

Google Issues High-Risk Security Patch for 3.5 Billion Chrome Users: What You Need to Know

AndyC 28 March 2026
Millions of UK iPhone Users Will Need to Verify Their Age — Here’s Why

Millions of UK iPhone Users Will Need to Verify Their Age — Here’s Why

AndyC 27 March 2026
Microsoft 365 Under Siege: Phishing Campaign Bypasses MFA Across 5 Countries

Microsoft 365 Under Siege: Phishing Campaign Bypasses MFA Across 5 Countries

AndyC 27 March 2026

You may have missed

Weekly Update 497

Weekly Update 497

AndyC 31 March 2026
PQ-Compliant Secure Multi-Party Computation for Model Contexts

PQ-Compliant Secure Multi-Party Computation for Model Contexts

AndyC 31 March 2026
How can you be certain your AI is compliant?

Why should you be excited about Agentic AI in cybersecurity?

AndyC 31 March 2026
OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability

OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability

AndyC 31 March 2026
TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM

TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM

AndyC 31 March 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.