TeamPCP isn’t slowing down. The threat actor group behind the LiteLLM and Trivy compromises has now hit the telnyx Python package, hiding credential-stealing malware inside WAV audio files.
This is the third major package compromise in their weeks-long supply chain campaign. And while security teams are still dealing with that, three new vulnerabilities in LangChain and LangGraph have been disclosed that can expose filesystem data, environment secrets, and conversation histories.
If you build with AI tools, your attack surface just grew again.
Telnyx: Malware Hidden in Music
On March 27, TeamPCP uploaded two malicious versions of the telnyx Python package to PyPI: versions 4.87.1 and 4.87.2. Telnyx is a telecommunications API used for SMS, voice, and messaging applications.
The malware uses WAV file steganography—a technique that hides executable code inside audio data. Here’s how it works:
- The package downloads a file called
hangup.wavfrom a command-and-control server - The audio frame data contains a base64-encoded payload
- The first 8 bytes of the decoded frames serve as an XOR key
- XOR the rest against that key, and you get a working executable
On Windows, the payload drops as msbuild.exe in the Startup folder—ensuring persistence across reboots. On Linux and macOS, a third-stage collector script is fetched using the same WAV-based technique.
The stolen credentials include:
- Cloud platform tokens (AWS, GCP, Azure)
- GitHub and GitLab credentials
- SSH keys
- Database connection strings
- Environment variables from
.envfiles
This is the same CanisterWorm infrastructure we covered last week. TeamPCP first used WAV steganography in their March 22 Kubernetes payload. Five days later, it appeared in telnyx.
If you installed telnyx version 4.87.1 or 4.87.2, assume full credential compromise. The GitHub issue tracking this has more details.
LangChain and LangGraph: Three Paths to Your Data
While everyone was watching TeamPCP, researchers disclosed three security vulnerabilities affecting LangChain and LangGraph—two of the most widely-used frameworks for building LLM-powered applications.
Each vulnerability exposes a different class of enterprise data:
CVE-2026-34070 (CVSS 7.5): Path Traversal
LangChain’s prompt-loading functionality allows access to arbitrary files without validation. An attacker can supply specially crafted input to read configuration files, tokens, internal templates, or Docker-related data—anything on the filesystem that the process can access.
Fixed in: langchain-core version 1.2.22+
Deserialization Flaw (CVSS 7.5)
LangChain’s legacy load_prompt functions have a deserialization vulnerability that lets attackers access files outside the intended directory. This is a separate issue from the path traversal bug, though both achieve similar outcomes.
Fixed in: langchain versions 0.3.81+ and 1.2.5+
CVE-2025-67644 (CVSS 7.3): SQL Injection
LangGraph’s SQLite checkpoint implementation allows attackers to manipulate SQL queries through metadata filter keys. Successful exploitation means arbitrary SQL queries against your conversation database—read, modify, or delete any stored data.
Fixed in: langgraph-checkpoint-sqlite version 3.0.1+
If you’re running LangChain or LangGraph in production with user-controllable inputs, these flaws can be exploited without authentication. The conversation history vulnerability is particularly concerning for applications that store sensitive user interactions.
The TeamPCP Timeline
For context on how this campaign has unfolded:
| Date | Event |
|---|---|
| March 19 | Trivy vulnerability scanner compromised (CVE-2026-33634, CVSS 9.4) |
| March 22 | CanisterWorm wiper spreads through 66+ npm packages |
| March 22 | Aqua Security’s 44 GitHub repos defaced |
| March 24 | LiteLLM versions 1.82.7 and 1.82.8 poisoned |
| March 27 | Telnyx versions 4.87.1 and 4.87.2 compromised |
The attackers are moving faster than teams can respond. Each compromise builds on infrastructure from the previous one. The WAV steganography technique—invisible to most security scanners—appeared in the Kubernetes payload and immediately moved to telnyx.
What You Should Do
For the telnyx compromise:
- Check if you have versions 4.87.1 or 4.87.2 installed:
pip show telnyx - If yes, rotate all credentials on that machine and any system it could reach
- Check for
msbuild.exein Windows Startup folders - Review outbound network connections for suspicious WAV downloads
For LangChain/LangGraph:
-
Update to patched versions immediately:
- langchain-core >= 1.2.22
- langchain >= 0.3.81 or >= 1.2.5
- langgraph-checkpoint-sqlite >= 3.0.1
-
Audit any user-controllable inputs to prompt loading functions
-
Review conversation histories for unauthorized access
-
If you can’t update immediately, restrict file system and database access for LLM applications
General supply chain hygiene:
- Pin dependencies with hash verification
- Use a private registry that mirrors only verified versions
- Monitor PyPI and npm advisories for packages you use
- Assume any package you install could be compromised tomorrow
The Pattern Is Clear
TeamPCP has demonstrated a consistent playbook: compromise widely-used developer tools, harvest credentials, and use that access to spread further. They’re not targeting end users—they’re targeting developers, CI/CD pipelines, and infrastructure.
The LangChain and LangGraph vulnerabilities aren’t related to TeamPCP, but they fit the same pattern of AI tooling being built faster than it can be secured. These frameworks process untrusted input by design. When that input can traverse filesystems or inject SQL, you have a problem.
AI development tooling has become the supply chain target of 2026. Every major package manager, every popular framework, every CI/CD integration is under scrutiny by attackers who know exactly how valuable developer credentials are.
Build accordingly.