- JFrog reports that TeamPCP poisoned the Telnyx PyPI package with malware
- The malicious update delivered a hidden .wav payload that implemented persistence and information theft mechanisms
- Users are advised to downgrade, block C2 communication, rotate credentials, and check for persistence
Telnyx, a popular PyPI package that provides real-time communication functions, was recently poisoned and used to deliver malware to its users, experts warned.
A report by security researchers JFrog, along with other independent security experts, points out how, as a cloud platform that allows developers to add real-time communications features to applications, such as voice and messaging, Telnyx provides APIs and tools to create solutions such as calling systems and SMS-based services.
It has already been downloaded millions of times and, according to JFrog, has had over 670,000 downloads this month alone, acting as an alternative to Twilio, sometimes chosen for its asynchronous httpx support and cost-effectiveness in high-concurrency environments.
Article continues below.
Two poisoned versions
However, Telnyx was recently updated, with two new versions of PyPI: 4.87.1 and 4.87.2. Those who upgraded their packages received a regular audio file (.wav) from the Internet, which the script extracts and decodes.
The malicious code hidden inside is used to establish persistence on the target device and deploy stage two malware that acts as an information stealer, capturing device data such as login credentials and system information.
The attack was carried out by a hacker collective calling itself TeamPCP. This group has been in the headlines recently, when it managed to compromise another major Python package called LiteLLM.
Now, researchers have observed nearly identical code on telnyx and said they are still not sure how the maintainer's PyPI account was compromised.
In any case, the .wav payload is now offline and the URL hosting it is offline. Those who installed the poisoned versions should downgrade to the clean version, block all C2 address communications, and then revoke and rotate all credentials. They should then look for additional persistence to ensure that the compromise has been completely resolved.
Protect WordPress Websites
As a platform, WordPress is generally considered secure with no known major vulnerabilities. However, it operates a vast repository of third-party user-created themes and plugins, divided into free and premium categories. The latter usually have a dedicated development and maintenance team and, as such, are regularly updated and protected against attacks.
Free ones, on the other hand, are usually created by enthusiasts, small teams, and independent developers. Many of them are abandoned, unmaintained or poorly managed, despite being popular with users. As such, they create a huge security risk on the one hand and attack opportunities on the other.
As a general rule, security researchers recommend WordPress users keep their platform, themes, and plugins up to date at all times. Additionally, they suggest that users only keep installed those themes and plugins that they actively use and make sure to override any default security and privacy settings.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
