TeamPCP launched a sophisticated attack on the Telnyx Python SDK, publishing malicious versions 4.87.1 and 4.87.2 to PyPI. The attack represents an evolution from their previous LiteLLM campaign, incorporating WAV-based steganography, split-file code injection, and expanded platform support. The payload, activated on import, uses stealthy techniques to download and execute credential-stealing malware across Linux, macOS, and Windows systems. Key changes include the use of audio steganography to hide malicious code, improved evasion through split-file injection, and the addition of Windows support with Startup folder persistence. The attackers shifted from HTTPS to plaintext HTTP infrastructure, potentially exposing their activities to network monitoring. Organizations are advised to downgrade to the last clean version and treat affected systems as compromised.