CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Supply Chain Security·Malware & Threats

Telnyx Targeted in Growing TeamPCP Supply Chain Attack

Two malicious versions of the popular SDK were uploaded to the PyPI registry, targeting Windows, macOS, and Linux. The post Telnyx Targeted in Growing TeamPCP Supply Chain Attack appeared first on SecurityWeek.

Software Supply Chain Attack

The popular Telnyx Python SDK is the latest victim of TeamPCP’s weeks-long supply chain campaign targeting the broad open source software ecosystem.

The campaign started on March 19 with Aqua Security’s open source vulnerability scanner Trivy and continued with infections across NPM, Docker Hub, Kubernetes, OpenVSX, and the LiteLLM PyPI package.

On Friday, two malicious versions of Telnyx, namely 4.87.1 and 4.87.2, were uploaded to the PyPI registry, targeting Windows, macOS, and Linux systems.

Telnyx is a cloud-based voice solution enabling traditional phone calls directly on respond.io. The Python library has over 670,000 monthly downloads.

The rogue Telnyx PyPI packages contained a WAV file that would drop an executable in the startup folder on Windows systems or would execute a hardcoded Python script to decode a third-stage collector script to exfiltrate the machine’s session key on macOS and Linux systems.

“The WAV file is a valid audio file. It passes MIME-type checks. But the audio frame data contains a base64-encoded payload. Decode the frames, take the first 8 bytes as the XOR key, XOR the rest, and you have your executable or Python script,” cybersecurity firm Aikido explains.

All the exfiltrated data is encrypted using asymmetric encryption (RSA), and the encoded public key is the same that was used in previous TeamPCP attacks, such as the LiteLLM PyPI package compromise, JFrog notes.

“It is unknown at this point how the library was compromised, but it is likely a direct result of each of TeamPCP’s recent attacks on the open source ecosystems,” JFrog says.

Telnyx users who installed either of the malicious versions of the SDK should consider their machines compromised and rotate all credentials, API keys, SSH keys, and other secrets.

According to GitGuardian, the blast radius from TeamPCP’s campaign extends well beyond the publicly discussed compromised packages.

The cybersecurity firm identified over 470 repositories that run a malicious version of the Trivy GitHub Action, and more than 1,900 packages that included LiteLLM as a dependency, thus potentially propagating the initial infection.

The numbers, GitGuardian warns, represent lower bounds, as the analysis is based only on publicly accessible data. When private repositories and transitive dependencies are taken into consideration, the actual scope of the supply chain campaign extends much further.

Related: Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure

Related: Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs

Related: Coruna iOS Exploit Kit Likely an Update to Operation Triangulation

Related: AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest Link

Latest News

CYBERNEWSMEDIAPublisher