The Telnyx Python SDK has become the latest casualty in a series of supply chain attacks orchestrated by TeamPCP, affecting the open source software ecosystem. This campaign, which began on March 19, initially targeted Aqua Security’s Trivy vulnerability scanner and has since extended its reach to platforms like NPM, Docker Hub, Kubernetes, OpenVSX, and PyPI packages such as LiteLLM.
Malicious Versions of Telnyx SDK Released
On Friday, two compromised versions of Telnyx, specifically 4.87.1 and 4.87.2, were introduced to the PyPI registry. These versions targeted a wide range of operating systems, including Windows, macOS, and Linux. Telnyx, known for its cloud-based voice capabilities, is integrated with respond.io and boasts over 670,000 downloads each month.
The infected Telnyx packages included a WAV file that executed different functions based on the operating system. On Windows, it placed an executable in the startup folder, while on macOS and Linux, it ran a Python script to decode another script, intended to exfiltrate session keys from machines.
Technical Details of the Attack
As explained by cybersecurity firm Aikido, the WAV file appeared legitimate, passing MIME-type checks. However, its audio frame data concealed a base64-encoded payload. Decoding these frames involved using an XOR key derived from the first 8 bytes, enabling the extraction of either an executable or a Python script.
All data exfiltrated through this method was encrypted using RSA, with the same public key seen in previous TeamPCP attacks, including the LiteLLM PyPI package breach, as noted by JFrog. The exact method of compromise remains uncertain, but it is likely linked to TeamPCP’s ongoing attacks on open source platforms.
Implications and Recommendations for Users
Users who have installed any of the affected Telnyx SDK versions are advised to assume system compromise. It is crucial for these users to rotate credentials, API keys, SSH keys, and any other sensitive information.
According to GitGuardian, the impact of TeamPCP’s campaign is substantial, reaching beyond the publicly identified compromised packages. The firm has detected over 470 repositories running a malicious Trivy version and more than 1,900 packages with LiteLLM dependencies, suggesting a much larger infection scope when including private repositories and transitive dependencies.
In light of these developments, cybersecurity experts emphasize the need for vigilance and immediate action to mitigate potential risks associated with such supply chain attacks.
