- cross-posted to:
- cybersecurity@infosec.pub
- cross-posted to:
- cybersecurity@infosec.pub
The SafeDep blog reports that compromised versions of the telnyx package have been found in the PyPI repository:
Two versions of telnyx (4.87.1 and 4.87.2) published to PyPI on March 27, 2026 contain malicious code injected into telnyx/_client.py. The telnyx package averages over 1 million downloads per month (~30,000/day), making this a high-impact supply chain compromise. The payload downloads a second-stage binary hidden inside WAV audio files from a remote server, then either drops a persistent executable on Windows or harvests credentials on Linux/macOS.
You must log in or # to comment.
What are reliable ways to thwart such supply chain attacks? What if a widely used library like pandas is subverted in such a way?
One also needs to think in supply chain attacks and simply finding and exploiting existing bugs in the multitude of dependencies of such libraries. The latter will likely become soon much more frequent with automated scanning and building of exploits.