Telnyx got supply-chain attacked on PyPI — here's why I use HTTP instead of SDKs

Telnyx got supply-chain attacked on PyPI — here's why I use HTTP instead of SDKs Another week, another PyPI supply-chain attack. This time it's Telnyx — a popular telecom/messaging SDK that developers trust for production SMS, voice, and communication infrastructure. The compromised package appeared on PyPI, meaning any pip install telnyx could have pulled malicious code. This follows the LiteLLM attack two weeks ago. The pattern is clear: complex Python SDKs are high-value targets because they run in privileged environments, have many dependencies, and developers rarely audit them. The SDK trust problem Every time you pip install an AI or telecom SDK, you're trusting: The package maintainer's security practices Every dependency they pull in The PyPI infrastructure itself The CI/CD pipeline that built the package That's a lot of trust for a pip install . My solution: HTTP calls, not SDKs For my AI project SimplyLouie , I made a deliberate choice: no AI SDKs . Instead, I use plain HTTP.