- JFrog reports that Telnyx PyPI package was poisoned with malware by TeamPCP
- Malicious update delivered hidden .wav payload that deployed information theft and persistence mechanisms
- Users are advised to downgrade, block C2 communication, rotate credentials, and check for persistence.
Telnyx, a popular PyPI package offering real-time communication features, was recently poisoned and used to deliver malware to its users, experts have warned.
A report from security researchers JFrog, along with other independent security experts, shows how, as a cloud platform that allows developers to add real-time communications capabilities to applications, such as voice and messaging, Telnyx provides APIs and tools to create solutions such as calling systems and SMS-based services.
It has already been downloaded millions of times and, according to JFrog, it has had over 670,000 downloads this month, acting as an alternative to Twilio, sometimes chosen due to its asynchronous httpx support and its cost effectiveness in high concurrency environments.
Article continues below
Two poisonous versions
However, telnyx was recently updated, with two new versions on PyPI: 4.87.1 and 4.87.2. Those who upgraded their packages then received a normal audio (.wav) file from the Internet, which the script extracted and decoded.
The malicious code hidden there is used to establish persistence on the target device and deploy second-stage malware that acts as an information stealer, harvesting device data such as login credentials and system information.
The attack was carried out by a hacker collective calling itself TeamPCP. This group recently made headlines when they managed to compromise another major Python package called LiteLLM.
Now, researchers have observed nearly identical code in telnyx, saying they don’t yet know how the maintainer’s PyPI account was compromised.
In any case, the .wav payload is now offline and the URL hosting it is offline. Those who installed the poisoned versions should upgrade to the clean version, block all communications with the C2 address, then revoke and alternate all credentials. Next, they should seek additional persistence, to ensure that the trade-off has been fully resolved.
Protect WordPress sites
As a platform, WordPress is generally considered secure and without known major vulnerabilities. However, it leverages a large repository of user-created third-party themes and plugins, divided into free and premium categories. These are usually accompanied by a dedicated maintenance and development team and, as such, are regularly updated and hardened against attacks.
Free versions, on the other hand, are often created by enthusiasts, small teams, and independent developers. Many of them are abandoned, unmaintained or poorly managed, although they are popular among users. As such, they create a huge security risk on one side and attack opportunities on the other.
Typically, security researchers advise WordPress users to keep their platform, themes, and plugins up to date at all times. Additionally, they suggest users to only keep installed themes and plugins that they actively use and make sure to override all default security and privacy settings.
Via BeepComputer
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
