TeamPCP hackers compromised the Telnyx package on the Python Package Index today, uploading malicious versions that deliver credential-stealing malware hidden inside a WAV file.

The supply-chain attack was observed by modern application security Aikido, Socket, and Endor Labs, and was attributed to TeamPCP based on the same exfiltration pattern and RSA key seen in previous incidents caused by the same actor.

TeamPCP is responsible for multiple recent supply-chain (e.g., Aqua Security’s Trivy vulnerability scanner, the open-source Python library LiteLLM) and wiper attacks targeting Iranian systems.

Earlier today, the threat actor published backdoored versions of the Telnyx package 4.87.1 and 4.87.2. On Linux and macOS, the malicious version drops malware that steals SSH keys, credentials, cloud tokens, cryptocurrency wallets, environment variables, and other types of secrets.

On Windows, the malware is dropped for persistence in the startup folder, running on every login.

The Telnyx PyPI package is the official Python software development kit (SDK) that allows developers to integrate Telnyx communication services like VoIP, messaging (SMS, MMS, WhatsApp), fax, and IoT connectivity into their applications.

The package is very popular, having over 740,000 downloads per month on PyPI.

Security researchers believe that the hackers breached the project using stolen credentials for the publishing account on the PyPI registry.

Initially, TeamPCP published Telnyx version 4.87.1 at 03:51 UTC, but the package had a malicious yet non-functioning payload. The threat actor corrected the error about an hour later at 04:07 UTC by publishing Telnyx version 4.87.2.

The malicious code is contained in the ‘telnyx/_client.py’ file, which triggers automatically at import, while allowing the legitimate SDK classes to function as expected.

On Linux and macOS systems, the payload spawns a detached process that downloads a second-stage disguised as a WAV audio file (ringtone.wav) from a remote command-and-control (C2) server.

By using steganography, the threat actor embedded malicious code in the file’s data frames without altering the audio. The payload is extracted using a simple XOR-based decryption routine and executes in memory to harvest sensitive data from the infected host.

If Kubernetes is running on the machine, the malware enumerates cluster secrets and deploys privileged pods across nodes, attempting to access the underlying host systems.

On Windows systems, the malware downloads a different WAV file (hangup.wav) that extracts an executable named msbuild.exe.

The executable is placed in the Startup folder for persistence across system reboots, while a lock file limits repeated execution within 12-hour windows.

The researchers warn that Telnyx SDK version 4.87.0 is the clean variant that includes the legitimate Telnyx code with no alterations. Developers are strongly advised to roll back to this release if they find Telnyx version 4.87.1 and 4.87.2 in their environments.

Any system that imported the malicious package versions should be treated as fully compromised, as the payload executes at runtime and may have already exfiltrated sensitive data. In such occurrences, it is recommended to rotate all secrets as soon as possible.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Get Your Copy Now

After a brief introduction when it revealed its SQD-Mini LED TVs at CES 2026 in Vegas, we’ve got more details on TCL’s flagship TV for this year.

The SQD-Mini LED line-up, SQD standing for “Super Quantum Dot”, will be coming to the UK market, with the X11L leading the charge (from 75-inches and above), followed by the C8L and C7L models, with TCL stating that each TV is “designed to make viewing feel bigger, brighter, and more immersive.” It looks as if these models replace the C8K and C7K from 2025.

The X11L SQD-Mini LED is stacked with high performance numbers. TCL claims that it has up to 20,736 precise dimming zones, and can produce up to 10,000 nits of peak brightness, with support 100% BT.2020 colour gamut to deliver both vibrant and accurate, cinema-grade colour.

There has been slight controversy with the last point with a pre-review asserting the X11L did not meet those colour benchmarks (but there’s a suggestion this was measured in a mode that’s not the optimal picture mode).

Advertisement

The screen is a native 144Hz which should help with motion and gaming, while there’s HDR support in the form of HDR10+ and Dolby Vision, though arguably the brightness this TV offers means dynamic HDR formats aren’t the most necessary.

Advertisement

The X11L packs TCL’s WHVA 2.0 Ultra panel to ensure consistent colours, contrast, and brightness at wide viewing angles, and audio is once again supplied by Danish audio brand Bang & Olufsen.

The step-down C8L sees the number count fall from the highs of the X11L, with just the 4032 dimming zones and 6000 nits of peak brightness to rely upon.

Advertisement

It keeps the 144Hz native refresh rate, and the sound system is built by Bang & Olufsen with Dolby Atmos support.

The specs fall again with the C7L, though the performance on paper still stretches past most other Mini LEDs on the market. There are 2176 dimming zones, 3000 nits of peak brightness; while the screen is 144Hz, there’s HDMI 2.1 support as well as Dolby Atmos on the sound side.

The C7L will be available in sizes that range from 55- to 98-inches. The C8L covers the same sizes while the X11L is available in 75-, 85- and 98-inch sizes.

Advertisement

There’s been no mention of price but we expect the SQD-Mini LED series to be available to buy from May 2026 onwards.

Advertisement

from the more-things-change-the-more-they-stay-the-same dept

In 2018, the Supreme Court ruled that warrants were needed to obtain cell site location info (CSLI). That decision dealt with law enforcement’s warrantless acquisition of 127 days of location data from a cell service provider. As the court saw it, the government was leveraging access to this data to turn cell phones (which has been given heightened protections with the 2014 Riley decision) into government tracking devices, all without having to bother with warrants or deploying government-crafted tracking tech.

The rationale for this 4th Amendment bypass was this: location data slurped up by websites and downloaded apps wasn’t exactly the same thing as cell tower location data. Therefore, it could be had without a warrant. In fact, it could be had without bothering the courts at all with a subpoena or any other lighter-weight legal paperwork. The government could just buy this data and sort through it to find what it was looking for. Some third parties were even willing to do the sorting for the right price, freeing the government up to pursue other rights violations.

This option obviously experienced a jump in popularity following the Supreme Court’s Carpenter ruling. While the spokespeople constantly stated the agencies they represented (which was pretty much all of them when it came to buying data from data brokers) were super-interested in respecting constitutional rights, they never took the time to explain their “respect” meant constantly testing (or breaking!) the boundaries until court precedent forced them to do otherwise.

In 2023, anti-encryption zealot Christopher Wray was heading the FBI. During the last years of his tenure, he admitted to Congress (or, more specifically, privacy hawk Senator Ron Wyden) that the FBI was — like CBP, ICE, US Secret Service, IRS, and federal prisons — buying up as much location data as it could purchase. Wray insisted this process was “court-authorized,” but somehow couldn’t find any court documents laying around that would support his claims of authorization.

The government is still buying this data. And it’s even more problematic than it was a few years ago, when federal agencies weren’t being run by MAGA loyalists and outright racists. Now there’s a new wrinkle: the government is delving into ad markets to siphon off RTB (real-time bidding) data that’s capable of tying location data to specific devices, even if those hawking the data pretend it’s been anonymized.

So, it comes as absolutely no surprise that aspiring frat bro Kash Patel’s FBI is doing the same thing that plenty of immigration-focused agencies are already doing. Yet again, it’s Senator Wyden demanding answers. And it’s Kash Patel answering the questions without honestly engaging with the questions. Here’s Zack Whittaker with the details for TechCrunch:

When asked by U.S. Senator Ron Wyden, Democrat of Oregon, if the FBI would commit to not buying Americans’ location data, Patel said that the agency “uses all tools … to do our mission.”

“We do purchase commercially available information that is consistent with the Constitution and the laws under the Electronic Communications Privacy Act — and it has led to some valuable intelligence for us,” Patel testified Wednesday.

First, there’s the obviously false insistence that this is all very constitutional. Buying location data from data brokers doesn’t just violate the spirit of the Supreme Court’s Carpenter decision, it’s only a letter or three off from violating the letter of the law. When the only difference is where you’re obtaining long-term location tracking data, you’re just exploiting loopholes rather than actually trying to be “consistent with the Constitution.”

The second part is even stupider. When you claim that legally-questionable efforts have “led to some valuable intelligence,” you’re just saying that the ends justify the means. And if that’s the low bar you’ve set for yourself, you’re going to be violating rights regularly because you prefer harvesting data to respecting rights.

This sums up the government’s stance concisely:

The FBI claims it does not need a warrant to use this information for federal investigations; though this legal theory has not yet been tested in court.

The government — especially this one — will never err on the side of restraint. It would rather explore the outer edges of legal theory, sacrificing our rights in exchange for more government power. At some point, this legal theory will be tested. But until it is, the government is going to continue to pretend the implications of Carpenter don’t apply to anything that hasn’t been specifically ruled unconstitutional.

Filed Under: 3rd party data, 4th amendment, fbi, kash patel, location data, mass surveillance, ron wyden

A hacking group called Handala has gained access to FBI Director Kash Patel’s email account, Reuters reports. The group published content from Patel’s email on their website as proof, including photos of Patel “sniffing and smoking cigars” and “making a face while taking a picture of himself in the mirror with a ​large bottle of rum.”

TechCrunch was able to independently confirm that at least some of the emails Handala stole were from Patel’s account by checking information used by mail delivery systems that’s stored in an email’s header. Several stolen emails included a cryptographic signature that linked them to Patel’s account. The FBI has also separately confirmed that the Director’s account was hacked. “The FBI is aware of malicious actors targeting Director Patel’s personal email information, and we have taken all necessary steps to mitigate potential risks associated with this activity,” the Bureau told TechCrunch. “The information in question is historical in nature and involves no government information.”

The FBI is offering up to $10 million in rewards for more information about the hackers who targeted Patel’s account. Handala presents as a pro-Palestinian hacking group online, but is believed to be one of several aliases used by cyberintelligence units working for the Iranian government, Reuters writes. Groups affiliated with Iran have targeted officials in the US before. In August 2024, the FBI shared that a separate group, APT42, was trying to gain access to both the Trump and Harris campaigns. Three men associated with APT42 were later charged that September.

Handala has appeared to become more active during the current conflict between the US, Israel and Iran. According to Reuters, the group claimed to be behind a cyber attack on Stryker, a medical devices company, earlier in March. Handala also said it accessed and published personal data from Lockheed Martin employees stationed in the Middle East.

The roles will be available in areas such as engineering, research and development, and customer service.

Data management and cloud data platform provider Qumulo officially launched its new European software R&D hub in Cork today (27 March), amid a plan for expansion that will also create 50 new jobs in the area over the next three years.

The project is supported by IDA Ireland and aims to address challenges for data management at scale and scope.

New roles will include opportunities in engineering, R&D and customer service, and the Cork-based team will be responsible for researching and developing solutions to enable the secure, frictionless and instantaneous transfer of “exabyte-scale” workloads globally, the company said. 

Established in 2012, US company Qumulo is headquartered in Seattle, Washington and has a significant global presence across the US, the Middle East and Europe.

Qumulo’s CTO Kiran Bhageshpur explained Cork was chosen as the location for its second R&D centre in part because of the access to “stellar third-level institutions in the south-west” and a “deep talent pool in Cork”.

He added, “Additionally, the excellent support infrastructure for companies like Qumulo provided by IDA Ireland made Cork the obvious choice for us to build a team focused on leveraging AI to help businesses manage global-scale data infrastructure.”

Minister for Enterprise, Tourism and Employment Peter Burke, TD said, “Qumulo’s decision to establish a new European software R&D hub in Cork is a strong endorsement of Cork as a location where cutting-edge engineering and global ambition meet. 

“It highlights the depth of talent emerging from our universities, the strength of the region’s technology ecosystem and Ireland’s ability to support companies delivering pioneering innovation on a global scale.”

Cork’s R&D ecosystem has experienced a boost as of late, with global semiconductor, power systems and IoT company Infineon Technologies also officially opening a new Cork-based R&D centre earlier this month. The new location focuses on Infineon’s innovations in the automotive and consumer microelectronics space, in areas such as battery management, motor control and touchscreens. 

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Once the premium option for data transfers and remote control for high-end audiovisual and other devices, FireWire (IEEE 1394) has been dying a slow death ever since Apple and Sony switched over to USB. Recently Apple correspondingly dropped support for it in MacOS 26, and Linux will follow in 2029. The bright side of this when you’re someone like [Jeff Geerling] is that this means three more years of Linux support for one’s FireWire gear, including on the Raspberry Pi with prosumer gear from 1999.

If you’re not concerned about running the latest and greatest – and supported – software, then using an old or modern Mac or PC is of course an option, but with Linux support still available [Jeff] really wanted to get it working on Linux. Particularly on a Raspberry Pi in order to stay on brand.

Adding a FireWire port to a Raspberry Pi SBC is easy enough with an RPi 5 board as you can put a Mini PCIe HAT on it into which you slot a mini PCIe to Firewire adapter. At this point lspci shows the new device, but to use it you need to recompile the Linux kernel with Firewire support. On the Raspberry Pi you then also need to enable it in the device tree overlay, as shown in the article.

With this you now have FireWire 400 support right off the bat, but to use the FireWire 800 port you need to also connect external power to the adapter, which [Jeff]’s Canon GL1 video camera with its FW400 port does not require, so he didn’t bother with that.

Capturing the video from the GL1 via FW400 was done using the DVgrab utility, with a subsequent capture attempt successful. This means that at least until 2029 [Jeff] will be happily using his GL1 camera this way.

Meanwhile over on the Dark Side, you can still happily install FireWire drivers made for older Windows versions on Windows 10 and 11, which is great news for e.g. people who have expensive DAW gear kicking around. Perhaps the demise of FireWire is still a long while off as long as you’re not too picky about the OS you’re running.

Looking for an all-in-one soundbar that sounds as big as it looks? Sennheiser’s Ambeo Max uses its oversized body to produce beefy, enveloping sound, and right now you can grab it for just $2,000 at Best Buy, a sizable $1,000 markdown from the usual list price. It’s one of our favorite stand-alone premium soundbars, particularly if you don’t want to deal with an exterior subwoofer but still want bigger bass than you’re likely to find on smaller options.

While it might be a bit larger than your average soundbar, Sennheiser uses the space well, packing a ton of functionality and drivers into the less-than-compact body. There are both full-range and 1-inch tweeters combined in every conceivable direction, and the result is an impressive reproduction of true spatial audio, something few other stand-alone bars can claim. As a result, it also has an impressive low-end, with bass that doesn’t rival dedicated subwoofers, but comes really close for how much simpler the setup process will be.

The larger footprint also allows for a huge number of inputs, more than you’re likely to find on those tiny soundbars that slide under your screen. In addition to an HDMI 2.1 output with eARC, you’ll get three HDMI inputs with 4K pass-through at 60Hz, USB, Ethernet, and optical audio. There are even RCA ports in case you want to hook this up to your turntable. There’s also a dedicated subwoofer output, in case you decide you want to add one to your setup down the road, giving you a ton of options should you decide to put the Ambeo Max at the center of your home audio setup.

Ready to make the move to a bigger, better soundbar? Swing on over to Best Buy to grab this hefty discount on the Sennheiser Ambeo Max, or check out our guide to the best premium soundbars for some of our other favorite picks. If you’re just out looking for a great deal in general, the Amazon Big Spring Sale is underway, and we’ve got a dedicated post with all the best discounts on everything from smartwatches to water bottles.

from the be-better dept

We’ve been talking a lot of about the use of artificial intelligence lately, for obvious reasons. Many of those conversations have revolved around the video game industry and I’ve been fairly vocal about pushing back against the “all AI is bad everywhere forever” dogma that I see far too often. There are plenty of folks in our community that don’t agree with me on that, and that’s fine. But if the picture you’re getting is that I’m an AI evangelist, that’s simply not true. There are potentially good uses of AI in my view, as well as a whole lot of potential negative outcomes of its use. I’m not blind to that.

And, in the video game industry specifically, one bit of pushback that seems to be sorely needed is on game developers that use generative AI in their games, fail to say so, and then excuse its use as accidental after the fact. That is becoming as common a refrain from game developers as the laughable excuse in trademark instances that is, “Well, I have to be an aggressive jerk about my trademarks or else I lose them.” Neither is true.

The most recent version of this concerns the recent hit launch of Crimson Desert. In what is becoming something analogous to the antiquated process by which people who watch golf tournaments on TV looking for missed rules violations could then send into the PGA, which I’ve coined as McPromptism, new game releases get put under a microscope by people looking to find AI uses within them. Crimson Desert went through this process and, wouldn’t you know it, people found clear uses of AI-generated assets in the game.

The game’s extremely high fidelity and impressive graphics are a big part of the sales pitch, which made it all the more disappointing when players began to come across what appeared to be AI-generated artwork littered throughout the game. In light of the disappointment, developer Pearl Abyss has apologized for including the slop in their game, promising to remove and replace all of it.

“We also acknowledge that we should have clearly disclosed our use of AI,” the Crimson Desert account posted on X. “We are currently conducting a comprehensive audit of all in-game assets and are taking steps to replace any affected content. Updated assets will be rolled out in upcoming patches. In parallel, we are reviewing and strengthening our internal processes to ensure greater transparency and consistency in how we communicate with players moving forward.”

Advertisement

Like I said above, this excuse is getting old. Very old. Game developers and publishers will be more than aware at this point that a sizable percentage of the gaming public is very allergic to the use of AI in games, particularly when that use is not acknowledged at the forefront. If placeholder assets generated by AI are to be used at all in the development of a game, it is inexcusable for a developer to not have a process to remove them in place of human-created art before the game is published. That’s sloppy at best, and a lie of an excuse at worst.

Especially because it’s not like there aren’t other options that have nothing to do with AI.

The practice is becoming more common in AAA developer spaces, but critics argue that setting aside the use of AI in your game, it’s pretty foolish to use temporary assets that don’t call obvious attention to themselves. In games of such massive scale, BRAT-green blocks that scream “DO NOT USE” are much easier to flag than something approximating the final product.

I’m struggling to come up with a counter-argument to that.

I’m still in a place where I think there are valid uses of AI in gaming development. If a dev or publisher wants to explore those uses and, importantly, is upfront about it, there may be a place for that.

But the excuse of laziness when it comes to stripping AI assets out when their use was not intended is lame and needs to go away.

Filed Under: ai, crimson desert, placeholder, slop, video games

In today’s technological landscape, the only constant is the rate of obsolescence. As engineers move deeper into the eras of 6G, ubiquitous artificial intelligence, and hyper-miniaturized electronics, a traditional degree is only a starting point.

To remain competitive in today’s job market, technical specialists must evolve into future-ready professionals by cultivating more than just niche expertise. Success now demands a high degree of adaptive intelligence and strategic communication, allowing specialists to translate complex data into actionable business decisions as industry shifts accelerate.

To bridge the gap between technical proficiency and organizational leadership, the IEEE Professional Development Suite offers training on programs designed to build the strategic competencies required to navigate today’s complex landscape. The suite provides deep technical dives into domains such as telecommunications connectivity and microelectronics reliability. Organizations can stay ahead of the curve through informed decision-making and a future-ready workforce.

Mastery of electrostatic discharge and 5G networks

Within the semiconductor sector, which is projected to become a US $1 billion industry by 2030, electrostatic discharge (ESD) is a major reliability challenge. Because even a microscopic, unnoticed discharge can compromise a semiconductor, ESD issues account for up to one-third of all field failures, according to the EOS/ESD Association.

IEEE’s targeted training—the online Practical ESD Protection Design certificate program—equips teams with technical protocols to mitigate the risks and ensure long-term hardware reliability. Specialized ESD training has become essential for chip designers and manufacturing professionals seeking to improve discharge control.

The interactive modules cover theory, real-world case studies, and practical mitigation techniques. The standards-based instruction is aligned with ANSI/ESD S20.20–21: Protection of Electrical and Electronic Parts and other industry guidelines.

As 5G network capabilities expand globally, so does the demand for engineers who can master the protocols and procedures required to manage complex telecommunications systems. The IEEE 5G/6G Essential Protocols and Procedures Training and Innovation Testbed, in partnership with Wray Castle, takes a deep dive into the 5G network function framework, registration processes, and packet data unit session establishment. The program is designed for system engineers, integrators, and technical professionals responsible for 5G signaling. Stakeholders such as network operators, equipment vendors, regulators, and handset manufacturers could find the program to be beneficial as well.

“The IEEE Professional Development Suite ensures that learners are not just keeping pace with change but helping to drive it.”

To bridge the gap between theory and practice, the course includes three months of free access to the IEEE 5G/6G Innovation Testbed. The secure, cloud-based platform offers a private, end-to-end 5G network environment where individuals and teams can gain hands-on experience with critical system signaling and troubleshooting.

Leadership training programs

Technical knowledge alone is not enough to climb the corporate ladder. To thrive today, engineering leaders must have a strategic vision and people-centric leadership skills.

The IEEE Leading Technical Teams training program focuses on the challenges of managing engineers in R&D environments and fostering creative problem-solving through an immersive learning experience. It’s designed for professionals who have been in a leadership position for at least six months. Participants can gain self-awareness.

The program includes a 360-degree assessment that gathers feedback about the individual from peers and direct reports to build a personalized development plan. The goal is to help technical professionals transition from high-performing individual contributors into leaders who drive innovation by inspiring their teams rather than just managing tasks.

Organizations can enroll groups of 10 or more to learn as a cohort—which can ensure that everyone stays on the same page while setting a training schedule that fits the team’s deadlines.

In collaboration with the Rutgers Business School, IEEE offers two mini MBA programs to bridge the gap between technical expertise and executive leadership. The programs offer flexibility to fit the demanding schedules of senior professionals. The online format lets participants engage with content as their time permits, while live virtual office hours with faculty provide opportunities for real-time interaction.

During the mini MBA for engineers 12-week curriculum, technical professionals master core competencies such as financial analysis, business strategy, and negotiation to effectively transition into management roles.

The mini MBA in artificial intelligence embeds AI literacy directly into business strategy rather than treating the technology as a standalone subject. Participants learn to evaluate AI through financial modeling and governance frameworks, gaining a practical foundation to lead initiatives that incorporate the technology.

The programs are offered to individuals as well as to organizations interested in training groups of 10 employees or more.

Earning credits that count

All the programs within the IEEE Professional Development Suite offer continuing education units and professional development hours.

Earning globally recognized credits provides a professional advantage, signaling a commitment to growth that often serves as a prerequisite for advancing into senior, lead, or principal roles. Additionally, the credits satisfy annual professional engineering license renewal requirements, ensuring practitioners remain compliant while expanding their capabilities.

Why curated content matters

Developed by IEEE Educational Activities, the training programs are peer-reviewed and built to align with industry needs. By focusing on upskilling (improving current skills) and reskilling (learning new ones), the IEEE Professional Development Suite ensures that learners are not just keeping pace with change but helping to drive it.