TeamPCP Is Back. Now It's Deploying Ransomware Through Your AI Libraries.

John Z Black Mar 30, 2026 AI Security #supply-chain #teampcp #litellm #telnyx #ransomware #python #steganography #ai-security

The Trivy poisoning was the warm-up. TeamPCP didn’t stop there.

Since March 19, this supply-chain campaign has been running hard. Last week it hit two new targets: LiteLLM and the Telnyx Python SDK. LiteLLM is the library that sits between your application and every major LLM provider – OpenAI, Anthropic, Cohere, all of them. If you’re running multi-model AI infrastructure, there’s a good chance it’s in your stack. Versions 1.82.7 and 1.82.8 were compromised. Three hours on PyPI. That’s enough time for CI/CD pipelines to pull poison without anyone noticing. Version 1.82.9 and later are clean.

The Telnyx SDK came next. Versions 4.87.1 and 4.87.2. Telnyx pulls 670,000 downloads a month. Version 4.87.3 and later are clean.

Both packages used .pth files for persistence. Python path configuration files are legitimate, rarely audited, and most endpoint detection tools don’t watch them closely. Once planted, the malicious code runs every time Python starts.

Now the part that deserves your full attention: the malware payload was hidden inside .wav audio files. Not a typo. WAV files are binary data. So is malware. If you encode your payload carefully enough to look like valid audio frames, scanners don’t flag it. Nobody scans audio files for malware. That’s exactly why it works.

On top of all that, TeamPCP announced an affiliate program with a ransomware operation called Vect. Up until now this looked like credential harvesting at scale. The Vect partnership signals they’re ready to activate that access for something louder.

The campaign has been quiet since March 28. That’s not reassuring. That’s a held breath.

CISA’s remediation deadline for the associated CVE is April 8. Use it.

Get the full TeamPCP campaign timeline, IOCs, and remediation steps