Unauthorized versions of the Telnyx Python SDK were briefly published to PyPI as part of a broader supply chain attack. Learn which versions were affected, who is impacted, and the steps to secure your environment.
On March 27, 2026 at 03:51:28 UTC, two unauthorized versions of the Telnyx Python SDK were published to PyPI: versions 4.87.1 and 4.87.2. Both versions contained malicious code. Both were quarantined by 10:13 UTC the same day.
This incident is part of a broader supply chain campaign that has also affected Trivy, Checkmarx, and LiteLLM.
The Telnyx platform, APIs, and infrastructure were not compromised. This incident was limited to the PyPI distribution channel for the Python SDK.
| Version | Published |
|---|---|
| telnyx==4.87.1 |
Related articles
| 03:51:28 UTC, March 27, 2026 |
| telnyx==4.87.2 | Shortly after |
Both versions have been removed from PyPI.
You may be affected if:
Run the following command:
pip show telnyx
If the version shown is 4.87.1 or 4.87.2, treat the environment as compromised.
pip install telnyx==4.87.0
| Type | Value |
|---|---|
| C2 server | 83.142.209.203:8080 |
| Exfil technique | WAV steganography payload delivery |
Additional IOCs will be published as the investigation confirms them.
The Telnyx platform, voice services, messaging infrastructure, networking, SIP, AI inference, and all production APIs were not affected.
The SDK is a client library that wraps public APIs. It has no privileged access to Telnyx infrastructure. No customer data was accessed through this incident.
This attack is part of a multi-week supply chain campaign:
Contact [email protected] if you have questions about this incident or need assistance determining if your environment was affected.