Major compromise of the telnyx PyPI library could put millions of users at risk

• JFrog reports Telnyx PyPI package was poisoned with malware by TeamPCP
• Malicious update delivered hidden .wav payload that deployed infostealer and persistence mechanisms
• Users advised to downgrade, block C2 communication, rotate credentials, and scan for persistence

Telnyx, a popular PyPI package providing real-time communication features, was recently poisoned and used to serve malware to its users, experts have warned.

A report from security researchers JFrog, along with other independent security experts, notes how as a cloud platform that lets developers add real-time comms features to apps, like voice and messaging, Telnyx provides APIs and tools for building solutions such as calling systems and SMS-based services.

It has been downloaded millions of times already, and according to JFrog, it’s had more than 670,000 downloads just this month, acting as an alternative to Twilio, sometimes picked because of its asynchronous httpx support and cost efficiency in high-concurrency environments.

Two poisoned versions

However telnyx was recently updated, with two new versions hitting PyPI: 4.87.1 and 4.87.2. Those that upgraded their packages were then served a normal audio file (.wav) from the internet, which the script extracts and decodes.

The malicious code hiding inside is used to establish persistence on the target device and deploy a stage-two malware that acts as an infostealer, grabbing data from the device such as login credentials and system information.

The attack was done by a hacking collective calling itself TeamPCP. This group has been making headlines recently, when it managed to compromise another major Python package called LiteLLM.

Now, researchers observed almost identical code in telnyx, saying they’re not yet sure how the maintainer’s PyPI account got compromised.

In any case, the .wav payload is now offline, and the URL hosting it is offline. Those who installed the poisoned versions should downgrade to the clean version, block all C2 address communication, and then revoke and rotate all credentials. Then, they should scan for additional persistence, to make sure the compromise has been fully addressed.

Protecting WordPress websites

As a platform, WordPress is generally considered safe and without known major vulnerabilities. However, it operates a vast repository of third-party, user-built themes and plugins, split into free and premium categories. The latter ones usually come with a dedicated maintenance and development team and as such are regularly updated and hardened against attacks.

The free ones, on the other hand, are often built by enthusiasts, small teams, and freelance developers. Many of them are abandoned, unmaintained, or otherwise poorly managed, despite being popular among the users. As such, they create a huge security risk on one end, and attack opportunity on the other.

As a general rule of thumb, security researchers advise WordPress users to keep their platform, themes, and plugins updated at all times. Furthermore, they suggest users only keep installed those themes and plugins they actively use and make sure to replace any default security and privacy settings.

Via BleepingComputer

The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.