A Poisoned Python Package Sat in Plain Sight for Years — and Nobody Noticed

For more than six years, a widely used Python library for the Telnyx telecommunications platform carried a hidden backdoor capable of siphoning off sensitive data from every application that installed it. The compromise wasn’t discovered through a routine audit or a sophisticated threat-hunting operation. It was found by researchers at Checkmarx, a software supply chain security firm, who flagged the package after noticing anomalous behavior in the code.

The implications are staggering.

The telnyx package on the Python Package Index (PyPI) — the central repository developers rely on when building Python-based applications — had been modified to include obfuscated malicious code that could execute remote commands and exfiltrate data. According to TechRadar, the compromised library potentially put millions of users at risk, given Telnyx’s broad footprint in voice, messaging, and networking APIs used by enterprises worldwide. The attack wasn’t a smash-and-grab. It was patient, quiet, and designed to persist.

Checkmarx researchers identified that the malicious versions of the package contained code designed to collect environment variables — which frequently store API keys, database credentials, cloud access tokens, and other secrets critical to an organization’s infrastructure. The exfiltrated data was sent to an external server controlled by the attacker. Because the package appeared legitimate and carried the Telnyx name, developers had little reason to question it. Trust in the repository was the weapon.

This is the anatomy of a supply chain attack, and it’s a pattern that has become disturbingly familiar.

PyPI, which hosts over 500,000 projects and serves billions of downloads annually, has become one of the most attractive targets for threat actors looking to compromise software at its source. The logic is brutally simple: instead of attacking a single company, you poison a library that thousands of companies depend on. One compromised package can cascade through countless production environments before anyone raises an alarm. And in this case, the alarm took years to sound.

The Telnyx incident is not an isolated event. It fits into a growing pattern of attacks targeting open-source package registries. In recent months, security researchers have uncovered malicious packages on PyPI, npm (the JavaScript registry), and other repositories at an accelerating pace. The technique is sometimes called “typosquatting” — where attackers upload packages with names nearly identical to popular ones — but the Telnyx compromise was more insidious. This wasn’t a lookalike. It was the real package name, either hijacked or manipulated in a way that gave the attacker persistent access to push updates containing malicious payloads.

According to TechRadar’s reporting, the compromised package had been available on PyPI for an extended period, meaning any developer or automated CI/CD pipeline that pulled the library during that window could have unknowingly introduced the backdoor into their systems. The scale of potential exposure is difficult to calculate precisely, but Telnyx serves a substantial customer base that includes startups, enterprises, and telecom operators across dozens of countries.

So how does something like this happen?

The open-source software supply chain operates largely on trust and volunteer labor. PyPI, despite its central importance to the Python community, has historically operated with limited resources for security review. Packages are uploaded by maintainers, and while PyPI has introduced measures like two-factor authentication requirements for critical projects and malware scanning tools, the sheer volume of uploads makes comprehensive vetting nearly impossible. Attackers know this. They exploit the gap between the community’s reliance on these packages and the infrastructure available to police them.

The Python Software Foundation, which oversees PyPI, has been working to strengthen defenses. In 2023, it rolled out mandatory two-factor authentication for maintainers of the top 1% of projects by download count, a move that addressed the most obvious attack vector — account takeover. But mandatory 2FA doesn’t stop a maintainer whose credentials were already compromised before the policy took effect, nor does it prevent a malicious insider or a sophisticated social engineering campaign that convinces a maintainer to hand off control.

Checkmarx’s discovery underscores a broader truth: the security of modern software depends heavily on components that most organizations never audit. A 2024 report from Synopsys found that 96% of commercial codebases contained open-source components, and 84% contained at least one known vulnerability. The Telnyx compromise adds another dimension to that risk — not just known vulnerabilities, but deliberately planted backdoors that evade detection by design.

For enterprises consuming Telnyx APIs, the immediate concern is whether their systems ingested the compromised package versions. Security teams should audit their dependency trees, check for the specific malicious versions flagged by Checkmarx, and rotate any credentials that may have been exposed. Environment variables are particularly dangerous to lose control of because they often contain the keys to everything: cloud provider accounts, payment processing systems, internal databases, third-party integrations.

But the longer-term question is harder to answer. How do organizations protect themselves against supply chain compromises that, by their nature, exploit trusted channels?

Several approaches are gaining traction. Software Bills of Materials (SBOMs) — detailed inventories of every component in a software product — are increasingly required by government procurement standards and are becoming standard practice in regulated industries. Dependency pinning, where organizations lock their builds to specific, verified versions of packages rather than automatically pulling the latest, can limit exposure to newly compromised updates. And tools like Sigstore, which provides cryptographic signing for open-source packages, aim to create a verifiable chain of custody from developer to end user.

None of these are silver bullets. Each adds friction to the development process, and adoption remains uneven. Many organizations, particularly smaller ones, still run pip install without a second thought.

The Telnyx case also raises questions about the responsibilities of the companies whose names appear on these packages. Telnyx itself provides official SDKs and libraries for its platform, and the compromised PyPI package bore its name. Whether the package was originally published by Telnyx and later hijacked, or was an unofficial community-maintained wrapper that gained traction, matters significantly for understanding the attack vector — but either way, the brand association gave the package an air of legitimacy that it exploited to devastating effect.

Companies that offer developer tools and APIs are increasingly recognizing that their official packages are high-value targets. Some have begun publishing checksums and signatures alongside their libraries, and a few have started monitoring third-party repositories for unauthorized packages using their brand names. But this kind of active defense requires resources and awareness that many companies still lack.

The cybersecurity community’s response to supply chain attacks has been reactive more often than proactive. Each new incident — SolarWinds, Codecov, the event-stream npm compromise, and now Telnyx — generates a burst of attention and a round of recommendations. Then the cycle repeats. The fundamental structural vulnerabilities remain: an enormous dependency on open-source code maintained by small teams or individuals, insufficient funding for security infrastructure at package registries, and a development culture that prioritizes speed over verification.

And the attackers keep getting more sophisticated. The obfuscation techniques used in the Telnyx package were designed to evade automated scanning tools, suggesting a threat actor with meaningful technical skill and patience. Six years is a long time to maintain a backdoor without detection. It suggests either extreme caution on the attacker’s part — limiting the volume of exfiltrated data to avoid triggering anomaly detection — or, more troublingly, that nobody was looking.

The incident is a stark reminder that software supply chain security isn’t a problem that can be solved with a single tool or policy change. It requires a fundamental shift in how organizations think about trust in their software dependencies. Every pip install, every npm install, every docker pull is an act of trust. And as the Telnyx compromise demonstrates, that trust can be exploited silently, patiently, and at enormous scale.

For now, developers and security teams should treat this as a wake-up call. Audit your dependencies. Verify your packages. Rotate your secrets. And don’t assume that because a package has been around for years, it’s safe. Sometimes longevity just means the attacker got there first.