VDB
KO

MAL-2026-5621

Malicious code in twilio-sdk (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (737fede3d5b2007849cab0503cec191ce127c33c0b28f3b3285f347a064966e1) Package name `twilio-sdk` impersonates the official Twilio Node SDK (`twilio`) but ships an empty API (`module.exports = {}`). The only real behavior runs in postinstall.js, declared via `package.json` `"postinstall": "node./postinstall.js"`. On `npm install`, postinstall.js collects the installer's hostname, DNS-resolved FQDN, Active Directory domain (`USERDNSDOMAIN`), current working directory, Node version, CI flag, and CI/SCM identifiers (`GITHUB_REPOSITORY`, `CIRCLE_*`, `CI_PROJECT_PATH`, `BITBUCKET_REPO_FULL_NAME`, `BUILD_REPOSITORY_URI`, `TRAVIS_REPO_SLUG`, `JENKINS_URL`, `CI_SERVER_URL`), as well as the configured internal npm registry (`npm_config_registry`), and sends them as query parameters in a plaintext HTTP GET to `http://46.224.67.169:3000/ping`. The combination of name-squat against a top-tier SDK, divergent (empty) API, and an unconsented install-time beacon to a hardcoded bare IP is install-time reconnaissance for downstream targeting (dependency-confusion against the leaked internal registry, lateral movement using the leaked AD domain and internal CI URLs). The package's own README labeling it a 'security research honeypot' does not change the installer-side impact: any developer who mistypes `twilio` and installs this package leaks internal infrastructure identifiers to a third-party IP.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / twilio-sdk

No fixed version published yet for twilio-sdk (npm). Pin to a known-safe version or switch to an alternative.

References