A JavaScript library, which is intended to be a library related to Twilio allowed backdoors to be installed on programmers' computers To allow attackers to access infected workstations, it was uploaded to the npm open source registry last Friday.
Fortunately, the malware detection service Sonatype Release Integrity quickly detected the malware, in three versions, and removed it on Monday.
The npm security team removed a JavaScript library on Monday named "twilio-npm" from the npm website because it contained malicious code that could open backdoors on programmers' computers.
Packages containing malicious code have become a recurring topic in the open source JavaScript code registry.
The JavaScript library (and its malicious behavior) was discovered this weekend by Sonatype, which monitors public package repositories as part of its security operations services for DevSecOps.
In a report released Monday, Sonatype said the library was first posted to the npm website on Friday, discovered the same day, and removed on Monday after the npm security team put the package in a blacklist.
There are many legitimate packages in the npm registry related to or representing the official Twilio service.
But according to Ax Sharma, Sonatype's security engineer, twilio-npm has nothing to do with the Twilio company. Twilio is not involved and has nothing to do with this attempted brand theft. Twilio is a leading cloud-based communications platform as a service that allows developers to create VoIP-based applications that can programmatically make and receive phone calls and text messages.
The official package of Twilio npm downloads almost half a million times a week, according to the engineer. Its high popularity explains why threat actors might be interested in catching developers with a counterfeit component of the same name.
“However, the Twilio-npm package did not hold up long enough to fool many people. Uploaded on Friday, October 30, Sontatype's Release Integrity service apparently flagged the code as suspicious a day later - artificial intelligence and machine learning clearly have uses. On Monday, November 2, the company published its findings and the code was withdrawn.
Despite the short lifespan of the npm portal, the library has been downloaded over 370 times and has been automatically included in JavaScript projects created and managed through the npm command-line utility (Node Package Manager), according to Sharma. . And many of those initial requests are likely coming from scan engines and proxies that aim to track changes to the npm registry.
Counterfeit package is single file malware and has 3 versions available to download (1.0.0, 1.0.1 and 1.0.2). All three versions appear to have been released on the same day, October 30. Version 1.0.0 doesn't accomplish much, according to Sharma. It only includes a small manifest file, package.json, which extracts a resource located in an ngrok subdomain.
ngrok is a legitimate service that developers use when testing their application, especially to open connections to their "localhost" server applications behind NAT or a firewall. However, as of versions 1.0.1 and 1.0.2, the same manifest has its post-installation script modified to perform a sinister task, according to Sharma.
This effectively opens a backdoor on the user's machine, giving the attacker control of the compromised machine and remote code execution (RCE) capabilities. Sharma said that the reverse command interpreter only works on UNIX-based operating systems.
Developers must change IDs, secrets, and keys
The npm advisory says that developers who may have installed the malicious package before it is removed are at risk.
"Any computer on which this package is installed or working should be considered fully compromised," the npm security team said Monday, confirming Sonatype's investigation.