- JFrog reports that the Telnyx PyPI package was poisoned with malware by TeamPCP
- Malicious update delivered hidden .wav payload that implemented infostealer and persistence mechanisms
- Users are advised to downgrade, block C2 communication, rotate credentials and scan for persistence
Telnyx, a popular PyPI package with real-time communication features, was recently poisoned and used to serve malware to its users, experts have warned.
A report by security researchers JFrog, along with other independent security experts, notes how Telnyx, as a cloud platform that lets developers add real-time communication features to apps, such as voice and messaging, provides APIs and tools to build solutions such as calling systems and SMS-based services.
It has already been downloaded millions of times, and according to JFrog it has had more than 670,000 downloads this month, and serves as an alternative to Twilio, sometimes chosen for its asynchronous httpx support and cost-effectiveness in high-concurrency environments.
The article continues below
Two poisoned versions
However, Telnyx was recently updated with two new versions hitting PyPI: 4.87.1 and 4.87.2. Those who upgraded their packages were then served a normal audio file (.wav) from the Internet, which the script extracts and decodes.
The malicious code hiding inside is used to establish persistence on the target device and deploy a second stage of malware that acts as an infostealer that extracts data from the device such as login credentials and system information.
The attack was carried out by a hacker collective that calls itself TeamPCP. This group made headlines recently when they managed to compromise another major Python package called LiteLLM.
Now, researchers observed nearly identical code in telnyx and said they are not yet sure how the maintainer’s PyPI account was compromised.
In any case, the .wav payload is now offline and the URL hosting it is offline. Those who installed the poisoned versions should downgrade to the clean version, block all C2 address communications, and then revoke and rotate all credentials. After that, they should scan for additional persistence to ensure that the compromise has been fully resolved.
Protection of WordPress websites
As a platform, WordPress is generally considered secure and with no known major vulnerabilities. However, it does run a large repository of third-party, user-built themes and plugins, divided into free and premium categories. The latter usually comes with a dedicated maintenance and development team and as such is regularly updated and hardened against attacks.
The free ones, on the other hand, are often built by enthusiasts, small teams and freelance developers. Many of them are abandoned, unmaintained or otherwise poorly managed, despite being popular with users. As such, they create a huge security risk on one end and attack opportunity on the other.
As a general rule of thumb, security researchers advise WordPress users to keep their platform, themes and plugins up to date at all times. Furthermore, they suggest that users only keep installed the themes and plugins they actively use, and make sure to replace all default security and privacy settings.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
