27
The telnyx packages on PyPI have been compromised (lwn.net)
submitted 2 months ago by cm0002@europe.pub to c/python@programming.dev
1 comments fedilink hide all child comments

The SafeDep blog reports that compromised versions of the telnyx package have been found in the PyPI repository:

Two versions of telnyx (4.87.1 and 4.87.2) published to PyPI on March 27, 2026 contain malicious code injected into telnyx/_client.py. The telnyx package averages over 1 million downloads per month (~30,000/day), making this a high-impact supply chain compromise. The payload downloads a second-stage binary hidden inside WAV audio files from a remote server, then either drops a persistent executable on Windows or harvests credentials on Linux/macOS.

top 1 comments
sorted by: hot top controversial new old
[-] HaraldvonBlauzahn@feddit.org 1 points 2 weeks ago

What are reliable ways to thwart such supply chain attacks? What if a widely used library like pandas is subverted in such a way?

One also needs to think in supply chain attacks and simply finding and exploiting existing bugs in the multitude of dependencies of such libraries. The latter will likely become soon much more frequent with automated scanning and building of exploits.

this post was submitted on 27 Mar 2026
27 points (96.6% liked)

Python

7932 readers
3 users here now

Welcome to the Python community on the programming.dev Lemmy instance!

📅 Events

PastNovember 2023

October 2023

July 2023

August 2023

September 2023

🐍 Python project:
💓 Python Community:
✨ Python Ecosystem:
🌌 Fediverse
Communities
Projects
Feeds

founded 3 years ago
MODERATORS
erlingur@programming.dev
jnovinger@programming.dev
norambna@programming.dev