- JFrog reports Telnyx PyPI package was poisoned with malware by TeamPCP
- Malicious update delivered hidden .wav payload that deployed infostealer and persistence mechanisms
- Users advised to downgrade, block C2 communication, rotate credentials, and scan for persistence
Telnyx, a popular PyPI package providing real-time communication features, was recently poisoned and used to serve malware to its users, experts have warned.
A report from security researchers JFrog, along with other independent security experts, notes how as a cloud platform that lets developers add real-time comms features to apps, like voice and messaging, Telnyx provides APIs and tools for building solutions such as calling systems and SMS-based services.
It has been downloaded millions of times already, and according to JFrog, it’s had more than 670,000 downloads just this month, acting as an alternative to Twilio, sometimes picked because of its asynchronous httpx support and cost efficiency in high-concurrency environments.
Two poisoned versions
However telnyx was recently updated, with two new versions hitting PyPI: 4.87.1 and 4.87.2. Those that upgraded their packages were then served a normal audio file (.wav) from the internet, which the script extracts and decodes.
The malicious code hiding inside is used to establish persistence on the target device and deploy a stage-two malware that acts as an infostealer, grabbing data from the device such as login credentials and system information.
The attack was done by a hacking collective calling itself TeamPCP. This group has been making headlines recently, when it managed to compromise another major Python package called LiteLLM.
Now, researchers observed almost identical code in telnyx, saying they’re not yet sure how the maintainer’s PyPI account got compromised.
In any case, the .wav payload is now offline, and the URL hosting it is offline. Those who installed the poisoned versions should downgrade to the clean version, block all C2 address communication, and then revoke and rotate all credentials. Then, they should scan for additional persistence, to make sure the compromise has been fully addressed.
Protecting WordPress websites
As a platform, WordPress is generally considered safe and without known major vulnerabilities. However, it operates a vast repository of third-party, user-built themes and plugins, split into free and premium categories. The latter ones usually come with a dedicated maintenance and development team and as such are regularly updated and hardened against attacks.
The free ones, on the other hand, are often built by enthusiasts, small teams, and freelance developers. Many of them are abandoned, unmaintained, or otherwise poorly managed, despite being popular among the users. As such, they create a huge security risk on one end, and attack opportunity on the other.
As a general rule of thumb, security researchers advise WordPress users to keep their platform, themes, and plugins updated at all times. Furthermore, they suggest users only keep installed those themes and plugins they actively use and make sure to replace any default security and privacy settings.
Via BleepingComputer
