Cyber Threat Brief — March 29 2026
⚠️ This report is AI-generated. Always validate findings.
1. TeamPCP Compromises Telnyx PyPI Package — WAV Steganography Credential Stealer
TL;DR: TeamPCP published backdoored telnyx versions 4.87.1–4.87.2 to PyPI on March 27, hiding a credential harvester inside WAV audio files downloaded from C2. This is the third ecosystem hit (after Trivy/GitHub Actions, litellm/PyPI, and CanisterWorm/npm) in the cascading supply chain campaign.
What’s New:
- Malicious code injected into
telnyx/_client.pyexecutes at import time — no user interaction required - Windows path: downloads
hangup.wavfrom83.142.209[.]203:8080, XOR-decodes executable from audio frames, drops asmsbuild.exein%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ - Linux/macOS path: downloads
ringtone.wavfrom same C2, XOR-decodes third-stage collector script, runs viasys.executable, encrypts output with AES-256-CBC, exfils astpcp.tar.gzvia HTTP POST - Credential vector: compromised litellm CI tokens likely used to access Telnyx PyPI publishing credentials (cascading token theft)
- Package quarantined; 742K total downloads for telnyx; no corresponding GitHub releases/tags for malicious versions
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
83.142.209[.]203:8080 | C2 IP | T1071.001 | Firewall/proxy logs | Block |
hangup.wav, ringtone.wav (from C2) | Payload delivery | T1027.003 (Steganography) | HTTP logs | Alert on WAV downloads from non-CDN IPs |
msbuild.exe in %APPDATA%\...\Startup\ | Persistence | T1547.001 | Sysmon (EID 11), EDR | Hunt for msbuild.exe outside C:\Windows\Microsoft.NET\ |
tpcp.tar.gz HTTP POST to C2 | Exfiltration | T1041 | Proxy/firewall logs | Alert |
telnyx==4.87.1, telnyx==4.87.2 | Malicious package | T1195.002 | Package manager logs, pip freeze | Audit all environments; downgrade to 4.87.0 |
telnyx/_client.py modification | Code injection | T1059.006 | File integrity monitoring | Diff against known-good |
Process: sys.executable piped stdin execution | Execution | T1059.006 | Sysmon (EID 1), auditd | Hunt for Python spawning with piped stdin |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need rule for msbuild.exe in Startup folder outside .NET path |
| Elastic | Startup Folder Persistence (generic) | No WAV steganography or PyPI-specific indicators |
| Sigma | proc_creation_win_susp_msbuild.yml (partial) | Matches msbuild execution but not Startup folder drop; no Linux coverage for piped stdin Python execution |
Sources: Datadog Security Labs, BleepingComputer, Aikido, GitHub Issue #235
2. Citrix NetScaler CVE-2026-3055 — Active Reconnaissance Escalates to SAML IdP Fingerprinting
TL;DR: Threat actors are now actively probing the /cgi/GetAuthMethods endpoint on NetScaler ADC/Gateway instances to fingerprint SAML IdP configurations, building targeted hit lists for imminent CVE-2026-3055 (CVSS 9.3) memory overread exploitation. Successful exploitation leaks session cookies, private keys, and plaintext credentials.
What’s New:
- Defused Cyber and watchTowr independently confirmed active auth-method fingerprinting in honeypot networks (reported March 28)
- Attackers send HTTP POST requests to
/cgi/GetAuthMethodsto enumerate authentication flows and confirm SAML IdP configuration - Successful exploitation leaks: session cookies (bypassing MFA), private cryptographic keys, and plaintext user credentials from appliance memory
- No confirmed in-the-wild exploitation of the memory overread itself yet — but shift from recon to exploitation is historically rapid for NetScaler vulns
- Affected: 14.1 < 14.1-66.59, 13.1 < 13.1-62.23, 13.1-FIPS/NDcPP < 13.1-37.262
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /cgi/GetAuthMethods | Recon probe | T1595.002 | NetScaler web access logs | Alert on high-volume requests from external IPs |
| SAML IdP configuration exposure | Target identification | T1592.004 | NetScaler config audit | Verify SAML IdP is required; disable if not needed |
| Session cookies in memory overread response | Credential theft | T1539 | NetScaler audit logs | Monitor for anomalous session reuse post-patch |
| Private key material in overread | Key compromise | T1552.004 | Certificate management | Rotate TLS certs/keys after patching |
CVE-2026-4368 companion XSS | Reflected XSS | T1189 | WAF logs | Block XSS payloads targeting NetScaler login pages |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for GetAuthMethods enumeration or NetScaler memory overread indicators |
| Elastic | None | No NetScaler-specific detection content |
| Sigma | web_cve_2023_citrix_bleed.yml (template only) | Needs adaptation for CVE-2026-3055; /cgi/GetAuthMethods not covered |
Sources: The Hacker News, Rapid7, Arctic Wolf, [Defused Cyber / watchTowr honeypot telemetry]
Status Updates
- CVE-2025-53521 (F5 BIG-IP APM): Federal deadline is tomorrow (March 30). UNC5221 BRICKSTORM exploitation ongoing. No new IOCs. March 28 brief.
- CVE-2026-4681 (PTC Windchill): Still no patch available. PTC imminent exploitation warning remains active. Monitor for
GW.class,payload.bin,dpr_*.jsp. March 27 brief. - CVE-2026-20131 (Cisco FMC): Interlock ransomware exploitation ongoing. PoC public. No new artifacts since March 21. March 19 brief.
- CVE-2026-33017 (Langflow): CISA KEV since March 25, federal deadline April 8. Exploitation ongoing per Sysdig. March 21 brief.
- CVE-2026-33634 (Aqua Trivy supply chain): TeamPCP campaign continues expanding — see Telnyx entry above for latest ecosystem hit. March 27 brief.