|
|
Log in / Subscribe / Register

The telnyx packages on PyPI have been compromised

[Posted March 27, 2026 by corbet]

The SafeDep blog reports that compromised versions of the telnyx package have been found in the PyPI repository:

Two versions of telnyx (4.87.1 and 4.87.2) published to PyPI on March 27, 2026 contain malicious code injected into telnyx/_client.py. The telnyx package averages over 1 million downloads per month (~30,000/day), making this a high-impact supply chain compromise. The payload downloads a second-stage binary hidden inside WAV audio files from a remote server, then either drops a persistent executable on Windows or harvests credentials on Linux/macOS.

to post comments

What telnyx is ...

Posted Mar 27, 2026 17:02 UTC (Fri) by jepler (subscriber, #105975) [Link] (4 responses)

If you're like me, you did not know what Telnyx was before hearing that it was compromised.

Pypi: "The Telnyx Python library provides convenient access to the Telnyx REST API from any Python 3.9+ application"

telnyx(dot)com, ddg extract: "Telnyx—Voice AI Agents with Built-In Global Telco Infrastructure"

What telnyx is ...

Posted Mar 27, 2026 19:02 UTC (Fri) by welinder (guest, #4699) [Link] (2 responses)

I know precisely nothing about telnyx. But "over 1 million downloads per month" sounds like a very high number to me.

In fact, it sounds like the result of an automated procedure, possibly ci/cd, that downloads repeatedly for an unknown, much smaller, set of users.

What telnyx is ...

Posted Mar 28, 2026 9:36 UTC (Sat) by gurkan (subscriber, #155052) [Link]

so much nobody knows about it? https://repology.org/projects/?search=telnyx

What telnyx is ...

Posted Mar 30, 2026 8:51 UTC (Mon) by LtWorf (subscriber, #124958) [Link]

1 million downloads per month is not that much, most of these downloads are generated by CI/CD downloading the same things over and over (the technology for local mirrors has been lost).

Plus since it gets used as a metric of success, I suspect it gets abused very often.

What telnyx is ...

Posted Mar 28, 2026 13:43 UTC (Sat) by zdzichu (subscriber, #17118) [Link]

Now you know about it. And handful of LWN readers know, too. No one will care or remember about the compromise in few days.

But the brand visibility will increase.

Mission accomplished. It doesn't matter what they say, important thing is they are talking about the brand.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds