Telnyx confirmed malicious versions 4.87.1 and 4.87.2 of their Python SDK appeared on PyPI on March 27, 2026 at 03:51 UTC. Both packages contained malicious code before being quarantined by 10:13 UTC. This attack is part of a broader supply chain campaign that has also affected Trivy, Checkmarx, and LiteLLM in recent weeks.

Users who installed or upgraded the telnyx package between 03:51 and 10:13 UTC are affected. The compromise was limited to the PyPI distribution channel, with the Telnyx platform, APIs, and infrastructure remaining secure. Developers using version 4.87.0 or earlier, or those using the REST API directly without the Python SDK, are not impacted.

Affected users should immediately downgrade to version 4.87.0 and rotate all accessible secrets. The C2 server identified is 83.142.209.203:8080, with exfiltration occurring through WAV steganography. While the SDK itself was compromised, no customer data was accessed through this incident. Telnyx is investigating how the publishing credentials were obtained.