March 27, 2026
Pip panic and mixtape malware
Telnyx Python SDK: Supply Chain Security Notice
A sneaky update hit for hours—now it’s blame, fixes, and memes
TLDR: Two malicious Telnyx Python package updates briefly hit PyPI, pushing developers to downgrade and rotate secrets while Telnyx says its core systems are safe. Commenters split between blaming sloppy versioning and slamming weak package safeguards, with jokes about “audio-file malware” underscoring a bigger fear: supply chain attacks are ramping up.
Telnyx says its own systems are fine, but two booby-trapped versions of its Python helper app slipped onto the public package site PyPI for a few morning hours—and the internet lit up. The bad releases (4.87.1 and 4.87.2) could have reached anyone who installed without locking the version, prompting a chorus of “rotate your secrets now.” One commenter summed up the mood as equal parts panic and eye-roll: another day, another supply chain mess.
The loudest fight? Who’s at fault. One camp scolds developers for not “pinning versions” (locking to a specific release), while others blast the ecosystem for making it too easy to publish poisoned updates. There’s a chorus demanding signed packages and stricter checks, and a counter-chorus saying this is the price of free, fast-moving open source. Telnyx insists the damage is restricted to those two releases and only via PyPI; no core systems or customer data were touched. Still, seeing this tied to a broader campaign hitting tools like Trivy, Checkmarx, and LiteLLM has people saying the quiet part out loud: this isn’t a one-off.
And because the internet never misses a punchline, the malware’s delivery trick—hiding data inside a WAV audio file—sparked instant memes about “malware mixtapes.” The HN thread is a cocktail of blame, practical checklists, and gallows humor. It’s chaos, but with jokes.
Key Points
- •Malicious Telnyx Python SDK versions 4.87.1 and 4.87.2 were briefly published on PyPI on March 27, 2026 and subsequently removed.
- •The incident was limited to the PyPI distribution channel; Telnyx’s platform, services, and production APIs were not compromised, and no customer data was accessed.
- •Affected users installed/upgraded telnyx between 03:51 UTC and 10:13 UTC on March 27, 2026, often via unpinned dependencies or transitive installs.
- •Telnyx advises downgrading to 4.87.0, rotating all secrets, auditing for outbound connections to 83.142.209.203:8080, and reviewing CI/CD and Docker builds.
- •The attack is part of a broader multi-week supply chain campaign also impacting Trivy, Checkmarx, and LiteLLM; additional IOCs will follow and credential compromise is under investigation.