Catching the LiteLLM and Telnyx supply chain zero-days via semantic analysis

Following the discussions around the LiteLLM compromise and today's terrifying telnyx zero-day, my team and I wrote up a technical breakdown of how the TeamPCP actors are bypassing legacy SCA tools. The tl;dr is that traditional scanners are looking for signatures, while the attackers are weaponizing context. By hiding an executable payload inside mathematically valid .wav audio frames, TeamPCP ensured that content filters and CVE databases waved the Telnyx payload right through. We spent the weekend building an open-source CLI (wtmp) to hunt for this exact behavior. Instead of asking "Is this package on a blacklist?", it maps your Node/Python dependency graph and uses a LangGraph process to actually read the code. It asks things like: "Why is a telephony SDK running an XOR decryption loop on an audio file and piping it to a shell?" The reality check: Because it relies on LLMs to infer intent, expect false positives. It is not a deterministic CI/CD blocker; it’s a flashlight to help yo