Someone hid malware inside a WAV file and 742,000 developers downloaded it
Last Thursday, someone pushed two malicious versions of the telnyx Python SDK to PyPI. The package gets about a million downloads a month. Versions 4.87.1 and 4.87.2 contained a credential stealer that was hidden inside a WAV audio file.
Not encrypted. Not obfuscated in the traditional sense. Literally embedded in the waveform data of what looked like a ringtone. Your antivirus saw a music file. Your EDR saw a music file. The Python process downloaded it, decoded it with a simple XOR key, and ran the payload in memory.
I keep coming back to how elegant this is. And how deeply unsettling.
The attack chain that nobody saw
The group behind this is called TeamPCP, and they've been busy. On March 19, they compromised Trivy, Aqua Security's open-source vulnerability scanner. The irony is thick: the tool designed to catch security issues was itself the vector. They injected malicious binaries into multiple Docker tags, and every CI/CD pipeline running Trivy without version pinning handed over its npm tokens, Docker Hub credentials, and PyPI publishing keys.
By March 20, TeamPCP used those stolen tokens to deploy their CanisterWorm backdoor across 46+ npm packages. The worm automated the entire process: steal token, publish malicious version, move to next package. Token-to-compromise in under 60 seconds.
Then on March 27, they hit telnyx. But this time they got creative.
Why a ringtone broke every scanner
Traditional malware hides in obvious places. Obfuscated JavaScript. Base64-encoded blobs. Suspicious executables. Security tools know what to look for. Network monitors flag unusual downloads. EDR products scan binaries for known patterns.
A WAV file breaks all of those assumptions.
The telnyx attack injected code into _client.py that spawned a detached process on Linux and macOS. That process downloaded a file called ringtone.wav from a command-and-control server. The file was a structurally valid WAV container. You could play it. It would make sound. But hidden in the audio frame data was a base64-encoded, XOR-encrypted payload.
The decryption routine was trivial. A few lines of Python. The payload ran entirely in memory, never touching disk, harvesting every credential it could find and exfiltrating the data over encrypted channels.
Here's what makes this hard to defend against: there's no malicious binary to scan. No suspicious file extension. No executable download. Just a Python process fetching what looks like an audio asset. Plenty of legitimate applications download media files. Good luck writing a firewall rule that distinguishes between a real ringtone and one carrying a credential stealer in its waveform.
What this means if you ship Python
If you're running pip install in a CI/CD pipeline (and you are), here's what you should be checking right now:
Pin your versions. Not version ranges. Exact versions. telnyx==4.87.0, not telnyx>=4.0. The teams that got hit were the ones auto-upgrading to latest.
Audit your lock files. Run pip freeze in your production environments and diff against your requirements. If 4.87.1 or 4.87.2 shows up anywhere, assume compromise. Rotate every secret that environment could access.
Watch for unusual network calls. Python processes downloading audio files should raise an eyebrow. Set up alerts for outbound connections from your application servers to unfamiliar domains, especially when the response content type is audio.
Don't trust your security scanner. TeamPCP literally compromised Trivy first. The scanner was the entry point. Run multiple tools. Verify signatures. Check that the scanner itself hasn't been tampered with.
The PyPI team quarantined both versions within about six hours. That's fast. But at 30,000 downloads per day, six hours is a lot of compromised environments.
The bigger pattern
This isn't an isolated incident. Supply chain attacks grew by 280% in 2025 according to Sonatype's annual report. In February 2026, attackers used image steganography on npm, hiding .NET loaders inside PNG pixel values hosted on public image sites. The dYdX npm and PyPI packages were compromised with wallet stealers the same month.
Attackers aren't trying to break into your server anymore. They're poisoning the packages your server asks for. And they're getting increasingly creative about where they hide the payload. Audio files today. Tomorrow, who knows. Font files? SVG images? WASM modules?
The open-source supply chain runs on trust. You trust that the package you installed yesterday is the same one you'll install tomorrow. TeamPCP showed that trust can be weaponized in under 60 seconds, jumping from one stolen token to dozens of compromised packages before anyone notices.
What to watch
- Audio and image steganography in supply chain attacks will increase. Once a technique works, it gets copied. Expect variants using video files, fonts, and other "safe" media types.
- Version pinning and lock file auditing are no longer optional. If your CI/CD auto-upgrades dependencies, you have a TeamPCP-shaped hole in your security.
- Security tools themselves are targets. When the scanner is the attack vector, your defense-in-depth collapses to defense-in-nothing. Verify your tools before trusting their output.
- Six hours is the new benchmark. That's how fast PyPI responded. Your incident response plan needs to assume that a compromised package could be live for at least that long.
The week a group of hackers hid a credential stealer inside a ringtone and shipped it through the Python package index, the supply chain security conversation stopped being theoretical. It got a soundtrack.
References: