Malicious backdoored NPM package masqueraded as Twilio library for three days until it was turfed out

Dodgy JavaScript code downloaded hundreds of times


GitHub's NPM on Monday removed a JavaScript library called twilio-npm because it contained malicious code, which has become something of a recurring theme for the open-source JavaScript code registry.

The offending library, designed to backdoor a victim's device and allow remote code execution, was spotted by Sonatype, the security biz that flagged another malicious NPM Registry package called electorn last month.

According to Ax Sharma, security engineer at Sonatype, twilio-npm has nothing to do with Twilio, a company that provides programmatic telephony services. But he speculates that the popularity of official Twilio NPM packages, some of which get downloaded close to half a million times each day, motivated the miscreants behind twilio-npm to co-opt the company name.

The twilio-npm package didn't stick around long enough to dupe many people, however. Uploaded on Friday, October, 30, Sontatype's Release Integrity service apparently flagged the code as suspicious a day later – AI and machine learning evidently have some uses. On Monday, November 2, the biz published its findings, and the code was removed.

The NPM advisory said the package opens a reverse shell to a remote server. "Any computer that has this package installed or running should be considered fully compromised," the notice stated. "All secrets and keys stored on that computer should be rotated immediately from a different computer."

The code does so through a post-install script, designed to run after the malicious library is fetched from the NPM Registry and installed. The script opens a TCP reverse shell using a service called ngrok.io, a legitimate developer tool that provides a way to expose local servers behind network barriers to the public internet.

It's unlikely that many people were deceived into installing the malicious library, however. Sharma said there were only 371 downloads during the brief time the code was available. And many of these initial requests are likely to have come from scanning engines and proxies that aim to keep track of changes to the NPM Registry.

Even so, the incident isn't an isolated event. Last month alone, six NPM packages were flagged for being malicious. And this has been going on for years.

A research paper released in September argued the NPM ecosystem isn't as risky as it may seem. However, that study focused on vulnerabilities incorporated into libraries rather than deliberate attempts to sabotage packages with malicious code.

"Open source software is being published and consumed every day at an increasingly massive scale, yet most security protections still rely on community trust and human oversight – which can be easily abused," said AJ Brown, product manager at Sonatype. ®


Biting the hand that feeds IT © 1998–2020