CP
cyberpings
Malware & RansomwareHIGH

Malware - Backdoored Telnyx PyPI Package Distributes Threat

BCBleepingComputer
TelnyxTeamPCPmalwaresupply chain attackPyPI
🎯

Basically, hackers hid malware in a popular coding package to steal sensitive information.

Quick Summary

A backdoored Telnyx package on PyPI has been found to deliver malware hidden in WAV files. Developers must act fast to secure their systems and protect sensitive data. This incident highlights the ongoing risks associated with supply-chain attacks.

What Happened

Today, hackers from TeamPCP compromised the Telnyx package on the Python Package Index (PyPI). They uploaded malicious versions of the package that deliver credential-stealing malware hidden inside WAV audio files. This supply-chain attack was detected by security firms like Aikido, Socket, and Endor Labs. The breach is attributed to TeamPCP due to their distinct exfiltration patterns and RSA keys used in previous attacks.

The malicious versions, Telnyx 4.87.1 and 4.87.2, were published earlier today. The first version contained a non-functioning payload, but within an hour, the threat actor corrected the issue with a working version. This rapid response highlights the sophistication of the attackers and their intent to exploit vulnerabilities quickly.

Who's Being Targeted

The Telnyx SDK is widely used by developers to integrate communication services like VoIP and messaging into their applications. With over 740,000 downloads per month, the potential impact of this attack is significant. Both Linux and macOS users are at risk, as the malware targets their systems to steal sensitive information such as SSH keys, cloud tokens, and cryptocurrency wallets.

Windows users are also affected, with the malware designed to run persistently by placing itself in the startup folder. This means that once infected, the malware can execute every time the system boots up, increasing the risk of data exfiltration.

Signs of Infection

The malicious code is embedded in the telnyx/_client.py file, which activates automatically upon import. On Linux and macOS, the malware downloads a second-stage payload disguised as a WAV file. This file, named ringtone.wav, is processed using steganography, allowing the malware to extract and execute its payload without altering the audio.

For Windows users, a different WAV file (hangup.wav) is used to deploy an executable named msbuild.exe. This executable is strategically placed in the Startup folder to ensure it runs automatically, further complicating detection and removal efforts.

How to Protect Yourself

Developers who have imported the malicious versions of the Telnyx package should treat their systems as fully compromised. The best course of action is to roll back to the clean variant, Telnyx version 4.87.0, which contains no malicious alterations. Additionally, it is crucial to rotate all secrets and sensitive data that may have been exposed during the attack.

Security researchers recommend immediate action to mitigate risks. If you suspect your environment has been compromised, conduct a thorough security audit and remove any unauthorized packages. Staying vigilant and informed is key to preventing future attacks like this one.

🔒 Pro insight: This incident underscores the persistent threat of supply-chain attacks; organizations must enhance their package management security protocols.

Original article from

BleepingComputer · Bill Toulas

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Nation-State Malware - Dark Web Exploit Kits Exposed

Nation-state malware is now available on the Dark Web, threatening organizations everywhere. This trend makes it easier for attackers to exploit vulnerabilities. Companies need to step up their cybersecurity measures to stay safe.

Dark Reading·
HIGHMalware & Ransomware

Malware - TeamPCP Compromises Telnyx Versions on PyPI

TeamPCP has compromised the telnyx Python package on PyPI, pushing malicious versions to steal sensitive data. Developers must downgrade to a safe version immediately to protect their systems.

The Hacker News·
HIGHMalware & Ransomware

Malware - China Enhances BPFdoor for Global Telco Espionage

China's Red Menshen has upgraded its BPFdoor malware, posing a serious threat to telecoms worldwide. This advanced malware bypasses traditional defenses, making detection crucial. Telecom companies must enhance their security measures to combat this evolving threat.

Dark Reading·
HIGHMalware & Ransomware

Malware Alert - Fake VS Code Alerts Target Developers on GitHub

A large-scale malware campaign is targeting GitHub developers with fake VS Code alerts. These deceptive posts trick users into downloading harmful software. Stay vigilant and verify alerts before acting.

BleepingComputer·
HIGHMalware & Ransomware

Malware - TeamPCP Backdoors Telnyx PyPI Package Again

TeamPCP has backdoored the Telnyx SDK on PyPI, delivering malware through malicious packages. Developers using this SDK are at risk of sensitive data exposure. Immediate action is necessary to secure affected environments.

Help Net Security·
HIGHMalware & Ransomware

Malware - Hackers Target South Asian Financial Firm with BRUSHWORM

A South Asian financial firm was hit by a targeted cyberattack using BRUSHWORM and BRUSHLOGGER malware. This attack highlights the growing risk to financial institutions. Security teams are urged to implement strict measures to protect sensitive data and prevent further breaches.

Cyber Security News·