MAL-2026-5621
Malicious code in twilio-sdk (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (737fede3d5b2007849cab0503cec191ce127c33c0b28f3b3285f347a064966e1) Package name `twilio-sdk` impersonates the official Twilio Node SDK (`twilio`) but ships an empty API (`module.exports = {}`). The only real behavior runs in postinstall.js, declared via `package.json` `"postinstall": "node./postinstall.js"`. On `npm install`, postinstall.js collects the installer's hostname, DNS-resolved FQDN, Active Directory domain (`USERDNSDOMAIN`), current working directory, Node version, CI flag, and CI/SCM identifiers (`GITHUB_REPOSITORY`, `CIRCLE_*`, `CI_PROJECT_PATH`, `BITBUCKET_REPO_FULL_NAME`, `BUILD_REPOSITORY_URI`, `TRAVIS_REPO_SLUG`, `JENKINS_URL`, `CI_SERVER_URL`), as well as the configured internal npm registry (`npm_config_registry`), and sends them as query parameters in a plaintext HTTP GET to `http://46.224.67.169:3000/ping`. The combination of name-squat against a top-tier SDK, divergent (empty) API, and an unconsented install-time beacon to a hardcoded bare IP is install-time reconnaissance for downstream targeting (dependency-confusion against the leaked internal registry, lateral movement using the leaked AD domain and internal CI URLs). The package's own README labeling it a 'security research honeypot' does not change the installer-side impact: any developer who mistypes `twilio` and installs this package leaks internal infrastructure identifiers to a third-party IP.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for twilio-sdk (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/twilio-sdk/v/0.2.2 [PACKAGE]
- https://www.npmjs.com/package/twilio-sdk/v/0.1.1 [PACKAGE]
- https://www.npmjs.com/package/twilio-sdk/v/0.2.0 [PACKAGE]
- https://www.npmjs.com/package/twilio-sdk/v/0.2.1 [PACKAGE]
- https://www.npmjs.com/package/twilio-sdk/v/0.1.2 [PACKAGE]
- https://www.npmjs.com/package/twilio-sdk/v/0.2.4 [PACKAGE]
- https://www.npmjs.com/package/twilio-sdk/v/0.1.0 [PACKAGE]
- https://www.npmjs.com/package/twilio-sdk/v/0.1.3 [PACKAGE]
- https://www.npmjs.com/package/twilio-sdk/v/0.2.3 [PACKAGE]