"Our analysis reveals a three-stage runtime attack chain on Linux/macOS consisting of delivery via audio steganography, in-memory execution of a data harvester, and encrypted exfiltration. The entire chain is designed to operate within a self-destructing temporary directory and leave near-zero forensic artifacts on the host."
"On Windows, the malware downloads a file named 'hangup.wav' from a command-and-control (C2) server and extracts from the audio data an executable that's then dropped into the Startup folder as 'msbuild.exe.' This allows it to persist across system reboots and automatically run every time a user logs in to the system."
"In case the compromised host runs on Linux or macOS, it fetches a different .WAV file ('ringtone.wav') from the same server to extract a third-stage collector script and run. The credential harvester is designed to capture a wide range of sensitive data and exfiltrate the data in the form of 'tpcp.tar.gz' via an HTTP POST request to '83.142.209[.]203:8080.'"
TeamPCP has compromised the telnyx Python package by releasing two malicious versions, 4.87.1 and 4.87.2, on March 27, 2026. These versions contain credential harvesting capabilities hidden within a .WAV file. Users are advised to downgrade to version 4.87.0 as the PyPI project is quarantined. The malware targets Windows, Linux, and macOS systems, utilizing audio steganography for delivery and executing a data harvester. The malware persists on Windows by placing an executable in the Startup folder, while on Linux/macOS, it fetches a different .WAV file for data collection.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]