Rapid Exploitation and Clever Malware in the Supply Chain, Last Week In AppSec (2026-04-02) - Checkmarx Two supply-chain stories mattered most this week: Langflow’s recent code-injection flaw was added to CISA’s Known Exploited Vulnerabilities catalog, and the Telnyx Python package compromise showed…

#LastWeekInAppSec wasn't just about #Axios. It also included:

🔨 rapid exploitation of a code injection + RCE in #Langflow (#CVE-2026-33017)

🕵️‍♂️ clever malware in #Telnyx package that used a valid .wav audio file to hide its payload.

▷ Read the details: buff.ly/pxbX0c0

#AppSec #DevSecOps

Backdoored Telnyx PyPI package pushes malware hidden in WAV audio TeamPCP hackers compromised the Telnyx package on the Python Package Index today, uploading malicious versions that deliver credential-stealing malware hidden inside a WAV file.

Backdoored #Telnyx #PyPI package pushes #malware hidden in #WAV #audio

www.bleepingcomputer.com/news/security/backdoored...

#cybersecurity

TeamPCP Uses Fake Ringtone File in Tainted Telnyx SDK to Steal Credentials TeamPCP hackers planted malicious code in tainted Telnyx Python SDK versions using a fake ringtone file to steal credentials, crypto wallets, and keys.

#TeamPCP strikes again. Hackers hid credential-stealing malware inside a fake ringtone file in tainted #Telnyx SDK versions, targeting developers via a supply chain attack.

Read: hackread.com/teampcp-fake...

#CyberSecurity #DataBreach #SupplyChainAttack #Malware

Alert: TeamPCP exploits Telnyx services to deploy malware targeting cloud infrastructures. Ensure your APIs and services are secured. #CyberSecurity #CloudSecurity #TeamPCP #Telnyx Link: thedailytechfeed.com/teampcp-expl...

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files TeamPCP compromised the telnyx PyPI package by publishing malicious versions 4.87.1 and 4.87.2 that use audio steganography in .WAV files to deliver credential-harvesting payloads across Windows, Linux, and macOS; users should immediately downgrade to 4.87.0 and follow mitigation steps. The campaign persists on Windows via a Startup-dropped msbuild.exe, exfiltrates collected data...

TeamPCP pushed malicious Telnyx versions 4.87.1 and 4.87.2 to PyPI, hiding credential stealers in .WAV files using audio steganography targeting Windows, Linux, and macOS. Linked to previous supply-chain attacks. #Telnyx #SupplyChain #Linux

OSSPREY

Ossprey has detected a new wave of #TeamPCP malware embedded in #telnyx versions 4.87.1 and 4.87.2 on #PyPI.

Full analysis is on our blog.

If telnyx is in your dependency tree, check your installed version now.

ossprey.com/blog/telnyx-...

#SupplyChainSecurity #PyPI #OpenSource #Malware #AppSec

FINALLY! FCC Gets Tough on Robocall Fraud KYC isn’t a Thing, claims telco: Commissioner Brendan Carr (pictured) wants $4.5 million fine on Telnyx, for enabling “illegal robocall scheme.”

ついに！FCCがロボコール詐欺に厳しく対処

FINALLY! FCC Gets Tough on Robocall Fraud #SecurityBoulevard (Feb 7)

#FCC #Telnyx #ロボコール #KYC #通信規制

FINALLY! FCC Gets Tough on Robocall Fraud KYC isn’t a Thing, claims telco: Commissioner Brendan Carr (pictured) wants $4.5 million fine on Telnyx, for enabling “illegal robocall scheme.”

Scammers pretended to be FCC. This seems to have been enough to awaken the sleeping government giant. It proposes to fine #Telnyx.

But #FCC only acted after scammers tried to scam its own staff. In #SBBlogwatch, we don’t know your customer. @futurumgroup.bsky.social @techstronggroup.bsky.social

Robocallers who claimed to be the FCC tried to scam the FCC Don't laugh: The $4.5m fine proposed for carrier Telnyx shows how the Trump administration will run its comms regulator

The FCC proposes a $4.5 million fine against Telnyx after scammers impersonated the agency in robocalls targeting FCC staff. Telnyx disputes the fine, stating it acted swiftly to block the calls. #Robocalls #FCC #Telnyx #Cybersecurity www.theregister.com/2025/02/06/r...