The code library, designed to backdoor the victim’s device and allow remote code execution, was spotted by Sonatype, the security biz that flagged another malicious NPM Registry package called “electorn” last month.
According to Ax Sharma, security engineer at Sonatype, “twilio-npm” has nothing to do with Twilio, a company that provides programmatic telephony services. But he speculates that the popularity of official Twilio NPM packages, some of which get downloaded close to half a million times each day, motivated the miscreants behind “twilio-npm” to co-opt the company name.
The “twilio-npm” package didn’t stick around long enough to dupe many people, however. Uploaded on Friday, October, 30, Sontatype’s Release Integrity service flagged the code as suspicious a day later – AI and machine learning evidently have some uses. On Monday, November 2, the company published its findings and the code was removed.
The NPM advisory says that the package opens a reverse shell to a remote server.
“Any computer that has this package installed or running should be considered fully compromised,” the notice says. “All secrets and keys stored on that computer should be rotated immediately from a different computer.”
The code does so through a “postinstall” script, designed to run after the malicious library is fetched from the NPM Registry and installed. The script opens a TCP reverse shell using a service called ngrok.io, a legitimate developer tool that provides a way to expose local servers behind network barriers to the public internet.
It’s unlikely that many people were deceived into installing the malicious library, however. Sharma reports there were only 371 downloads during the brief time the code was available. And many of these initial requests are likely to have come from scanning engines and proxies that aim to keep track of changes to the NPM Registry.
A research paper released in September argued that the NPM ecosystem isn’t as risky as it may seem. But the study focuses on vulnerabilities incorporated into libraries rather than deliberate attempts to sabotage a library with malicious code.
“Open source software is being published and consumed every day at an increasingly massive scale, yet most security protections still rely on community trust and human oversight – which can be easily abused,” said AJ Brown, product manager at Sonatype, in the company’s blog post. ®