The popular Telnyx Python SDK is the latest victim of TeamPCP’s weeks-long supply chain campaign targeting the broad open source software ecosystem.
The campaign started on March 19 with Aqua Security’s open source vulnerability scanner Trivy and continued with infections across NPM, Docker Hub, Kubernetes, OpenVSX, and the LiteLLM PyPI package.
On Friday, two malicious versions of Telnyx, namely 4.87.1 and 4.87.2, were uploaded to the PyPI registry, targeting Windows, macOS, and Linux systems.
Telnyx is a global communications platform-as-a-service (CPaaS) provider that operates its own private IP network to deliver voice, messaging, and programmable communication services to businesses. The Python library has over 670,000 monthly downloads.
The rogue Telnyx PyPI packages contained a WAV file that would drop an executable in the startup folder on Windows systems or would execute a hardcoded Python script to decode a third-stage collector script to exfiltrate the machine’s session key on macOS and Linux systems.
“The WAV file is a valid audio file. It passes MIME-type checks. But the audio frame data contains a base64-encoded payload. Decode the frames, take the first 8 bytes as the XOR key, XOR the rest, and you have your executable or Python script,” cybersecurity firm Aikido explains.
All the exfiltrated data is encrypted using asymmetric encryption (RSA), and the encoded public key is the same that was used in previous TeamPCP attacks, such as the LiteLLM PyPI package compromise, JFrog notes.
“It is unknown at this point how the library was compromised, but it is likely a direct result of each of TeamPCP’s recent attacks on the open source ecosystems,” JFrog says.
Telnyx users who installed either of the malicious versions of the SDK should consider their machines compromised and rotate all credentials, API keys, SSH keys, and other secrets.
According to GitGuardian, the blast radius from TeamPCP’s campaign extends well beyond the publicly discussed compromised packages.
The cybersecurity firm identified over 470 repositories that run a malicious version of the Trivy GitHub Action, and more than 1,900 packages that included LiteLLM as a dependency, thus potentially propagating the initial infection.
The numbers, GitGuardian warns, represent lower bounds, as the analysis is based only on publicly accessible data. When private repositories and transitive dependencies are taken into consideration, the actual scope of the supply chain campaign extends much further.
*the description of Telnyx in the fourth paragraph has been updated for accuracy
Related: Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure
Related: Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs
Related: Coruna iOS Exploit Kit Likely an Update to Operation Triangulation
Related: AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest Link
