TH17132
Detected presence of files containing URLs related to the Telegram API.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | None |
About the issueโ
Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. Telegram, like many other instant messaging solutions, provides a public-facing API that the chat client can invoke when an appropriate application event occurs. Attackers often abuse Telegram APIs as a command-and-control mechanism that instructs the infected computer systems to perform malicious actions. While the presence of Telegram APIs does not imply malicious intent, all of their uses in a software package should be documented and approved. An increasing number of software supply chain attacks in the open source space leverages Telegram infrastructure for command and control.
How to resolve the issueโ
- Investigate reported detections.
- If the software should not include these network references, investigate your build and release environment for software supply chain compromise.
- You should delay the software release until the investigation is completed, or until the issue is risk accepted.
- Remove all references to flagged network locations.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Recommended readingโ
- Threat Actors Use Telegram APIs for Harvesting Credentials (External resource - Forcepoint)
- Protection Highlight: Phishers Ramp Up Exploitation of Telegram Bot API (External resource - Broadcom)