Telnyx package compromised on PyPI

Posted by ramimac 3 days ago

132 points | 133 commentspage 3

kelvinjps10 2 days ago|

I received an email from them about the vulnerability but I don't remember ever using them

rvz 2 days ago||

That's not good. Time to raise the package security draw bridge on vibe coders.

doug_durham 2 days ago|

In what world does professional hackers intersect with vibe coding? This is a professional attack. Not some amateur script kiddie action.

spocchio 2 days ago||

Is there anyone who uses it? I see their repo's Initial Commit was on Jan 2026... quite a new package! Also, the number of GitHub stars and forks is quite low.

Does the package have a user base, or did the malicious team target one of the many useless GitHub repos?

KomoD 2 days ago|

> I see their repo's Initial Commit was on Jan 2026... quite a new package!

That's incorrect, the repo and package date back to 2019

dlcarrier 2 days ago||

At this point, I'm not updating anything using Python.

Not that I had the option anyway, because everything using Python breaks if you update it. You know they've given up on backward comparability and version control, when the solution is: run everything in a VM, with its own installation. Apparently it's also needed for security, but the VMs aren't really set up to be secure.

I don't get why everything math heavy uses it. I blame MATLAB for being so awful that it made Python look good.

It's not even the language itself, not that it doesn't have its own issues, or the inefficient way it's executed, but the ecosystem around it is so made out of technical debt.

TZubiri 2 days ago||

Agree. I was working on an open source package, noticed something weird, and noticed the size of the uv.lock and got a bit scared.

It's a pandemic, I will be hardening my security, and rotating my keys just in case.

akx 2 days ago|||

Sounds like you're not familiar with https://docs.astral.sh/uv/ ...

duskdozer 1 day ago||

It sounds to me like they are: `You know they've given up on backward comparability and version control, when the solution is: run everything in a VM, with its own installation.`

uv taking over basically ensures that dependencies won't become managed properly and nothing will work without uv

paulddraper 2 days ago|||

Python is genuinely a pleasant syntax and experience. [1]

It's the closest language to pseudocode that exists.

Like every other language from 1991, it has rough edges.

[1] https://xkcd.com/353/

hrmtst93837 1 day ago||

Math and science picked Python because NumPy, SciPy, and pandas gave them a decent glue layer over C and Fortran, and once the papers, notebooks, and teaching material piled up, the lock-in was social as much as technical. MATLAB being awful helped, but only at the margin.

venv and Docker don't fix much. They just freeze the mess until rebuild day, when you find out half the stack depended on an old wheel, a dead maintainer, or a C extension that no longer compiles on a current Python.

oncallthrow 2 days ago||

I think it's only a matter of time at this point before a devastating supply chain attack occurs.

Supply-chain security is such a dumpster fire, and threat actors are realising that they can use LLMs to organize such attacks.

dgellow 1 day ago|

Not sure what you mean by devastating, but supply chain attacks occur pretty much daily worldwide and LLMs have been used by attackers since multiple years at that point. Defending against supply chain threats is a pretty hard area to iterate and things are slow to change. For example pypi only supports trusted publishers since 2023 IIRC, and lots of large companies are still not consistently using that option

TZubiri 2 days ago||

Shoutouts to all the real engineers who use a generic http client to call APIs and weren't impacted by this.

LoganDark 2 days ago||

I used to use Telnyx many years ago, but was squeezed out when they started adding layer after layer of mandatory identity verification. Nope.

devnotes77 2 days ago||

[dead]

iam_circuit 2 days ago||

[dead]

midnightrun_ai 2 days ago|

[dead]

More comments...