Telnyx Targeted in Recent Supply Chain Cyberattack on TeamPCPs

Sophisticated Supply Chain Attack Targets Open-Source Software Ecosystem

A sophisticated supply chain attack has been detected, compromising several widely-used libraries, including the popular Python SDK, Telnyx. On March 19, this attack began targeting the open-source software ecosystem.

Telnyx Python SDK Infected with Malware

• The Telnyx Python SDK, which enables traditional phone calls directly on respond.io, was infected with malware in two separate versions, 4.87.1 and 4.87.2, which were uploaded to the PyPI registry on Friday.
• These versions targeted Windows, macOS, and Linux systems.

Compromised Packages Contained WAV File Dropping Executable

• The compromised Telnyx packages contained a WAV file that dropped an executable in the startup folder on Windows systems or executed a hardcoded Python script to decode a third-stage collector script and exfiltrate the machine’s session key on macOS and Linux systems.
• The WAV file, which passed MIME-type checks, contained a base64-encoded payload that was decoded using a XOR key.

Data Exfiltration via Asymmetric Encryption

Blast Radius Extends Beyond Publicly Disclosed Compromised Packages

• Users who installed either of the malicious versions of the SDK should consider their machines compromised and rotate all credentials, API keys, SSH keys, and other sensitive information.
• The blast radius of the campaign extends far beyond the publicly disclosed compromised packages, with over 470 repositories identified that run a malicious version of the Trivy GitHub Action and more than 1,900 packages that include LiteLLM as a dependency.
• The actual scope of the supply chain campaign is likely much larger when considering private repositories and transitive dependencies.

This highlights the importance of vigilance and proactive measures to prevent similar attacks in the future.

About Author

Anuj

See author's posts