A cybercriminal group previously associated with a supply chain compromise involving the Trivy vulnerability scanner has launched another attack, this time targeting developers through manipulated Telnyx packages on the Python Package Index (PyPI).
According to findings from Ox Security, the group known as TeamPCP has re-emerged after its earlier involvement in distributing malicious versions of the LiteLLM package. That earlier campaign followed a breach affecting Trivy, an open-source vulnerability scanning tool, and resulted in compromised packages being made available to developers.
In the latest incident, the attackers appear to have interfered with the PyPI distribution of Telnyx’s Python software development kit. Telnyx, which provides voice-over-IP services and artificial intelligence-based voice solutions, had legitimate package versions replaced with altered releases containing a multi-stage information-stealing malware along with mechanisms designed to maintain long-term access on infected systems.
Researchers noted that while the malicious logic resembles what was previously observed in the LiteLLM case, the delivery technique differs. Instead of directly embedding harmful code into the package, the Telnyx versions retrieve a secondary payload disguised as a .wav audio file. This file is later decoded and executed on the victim’s machine, representing a more indirect and stealth-oriented infection method.
Telnyx acknowledged the issue and stated that it has since been resolved. The company clarified that the incident was limited strictly to its Python package and did not affect its infrastructure, network environment, APIs, or core services. However, it warned that any system where the affected package versions were installed should be considered compromised.
Users have been specifically advised to check whether they installed versions 4.87.1 or 4.87.2. If so, the recommendation is to treat the affected environment as breached and immediately rotate any credentials that may have been exposed.
The potential scale of exposure is notable. Ox Security reported that Telnyx packages receive more than 34,000 downloads per week on PyPI, suggesting that a considerable number of developers and services may have unknowingly installed the malicious versions before they were removed.
RedLine Infostealer Case Leads to Extradition
In a separate law enforcement development, a suspected individual connected to the RedLine infostealer operation has been extradited to the United States. Hambardzum Minasyan, an Armenian national, recently appeared in federal court in Austin, Texas.
He faces charges that include conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act, and conspiracy to engage in money laundering. According to court documents, his alleged role involved setting up virtual private servers and domains used to host RedLine infrastructure, maintaining repositories used to distribute the malware to affiliates, and registering cryptocurrency accounts used to collect payments.
If convicted on all counts, Minasyan could face a maximum sentence of 30 years in prison.
Authorities had previously identified another alleged key figure, Maxim Rudometov, in 2024, describing him as a central developer and operator of the RedLine malware. The U.S. government later announced a reward of $10 million for information related to Rudometov and his associates. It remains unclear whether any reward was issued in connection with Minasyan’s arrest.
EU Examines Snapchat and Adult Platforms Under Digital Services Act
Regulators in the European Union have also taken action against several online platforms over concerns related to child safety and compliance with the Digital Services Act.
Adult content platforms including Pornhub, Stripchat, XNXX, and XVideos have been provisionally found to be in violation of the law. The European Commission stated that these platforms rely on basic self-declaration systems requiring users to confirm they are over 18, without implementing robust age-verification mechanisms.
As these findings are preliminary, the companies have been given an opportunity to respond before any enforcement measures are finalized.
Snapchat is also under scrutiny, though at an earlier stage of investigation. The European Commission has indicated that the platform may face similar issues, particularly in relying on self-declared age verification. Regulators have raised concerns that such measures may not adequately protect minors from harmful interactions, including risks related to exploitation or recruitment into criminal activity.
A detailed investigation into Snapchat’s practices is now underway to determine whether further regulatory action is required.
LAPSUS$ Claims Data Leak from AstraZeneca
Meanwhile, the threat group LAPSUS$ has released a dataset totaling 2.66 GB, claiming it was stolen from pharmaceutical company AstraZeneca. If confirmed, the incident could become one of the more significant healthcare-related cybersecurity events of the year.
Analysis from SOCRadar suggests that the exposed data may include internal code repositories, authentication-related information, cloud infrastructure references, and employee records. Researchers indicated that the nature of the data points to a deeper operational compromise rather than a limited credential leak.
Such information could potentially be used to carry out further attacks, including targeted phishing campaigns or supply chain intrusions affecting AstraZeneca’s partners. The full dataset was reportedly released publicly over the weekend.
US Researchers Develop Large-Scale AI Vulnerability Detection System
In another development, researchers at Oak Ridge National Laboratory have introduced an advanced system designed to identify and exploit vulnerabilities in artificial intelligence models at scale.
The system, named Photon, operates at exascale computing levels and is capable of continuously probing AI systems for weaknesses. It begins by applying known attack techniques to a target model and then refines those methods based on observed responses. At the same time, it searches for previously unknown vulnerabilities and incorporates them into its testing cycle.
According to the research team, Photon was able to maintain approximately 95 percent computational efficiency while running across 1,920 GPUs on the Frontier supercomputer. It also reduced many of the operational bottlenecks typically associated with large-scale AI red-team testing.
Researchers describe Photon as a defining shift in AI security practices, enabling automated and continuous vulnerability discovery. However, they also noted that such capabilities are currently limited to highly resourced environments, meaning that widespread misuse by threat actors is unlikely in the near future.
