MAL-2026-5621

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/twilio-sdk/MAL-2026-5621.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5621

Published

2026-06-11T06:13:02Z

Modified

2026-06-11T08:01:33.365373030Z

Summary

Malicious code in twilio-sdk (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (737fede3d5b2007849cab0503cec191ce127c33c0b28f3b3285f347a064966e1)

Package name twilio-sdk impersonates the official Twilio Node SDK (twilio) but ships an empty API (module.exports = {}). The only real behavior runs in postinstall.js, declared via package.json "postinstall": "node./postinstall.js". On npm install, postinstall.js collects the installer's hostname, DNS-resolved FQDN, Active Directory domain (USERDNSDOMAIN), current working directory, Node version, CI flag, and CI/SCM identifiers (GITHUB_REPOSITORY, CIRCLE_*, CI_PROJECT_PATH, BITBUCKET_REPO_FULL_NAME, BUILD_REPOSITORY_URI, TRAVIS_REPO_SLUG, JENKINS_URL, CI_SERVER_URL), as well as the configured internal npm registry (npm_config_registry), and sends them as query parameters in a plaintext HTTP GET to http://46.224.67.169:3000/ping. The combination of name-squat against a top-tier SDK, divergent (empty) API, and an unconsented install-time beacon to a hardcoded bare IP is install-time reconnaissance for downstream targeting (dependency-confusion against the leaked internal registry, lateral movement using the leaked AD domain and internal CI URLs). The package's own README labeling it a 'security research honeypot' does not change the installer-side impact: any developer who mistypes twilio and installs this package leaks internal infrastructure identifiers to a third-party IP.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005616",
            "versions": [
                "0.2.2"
            ],
            "sha256": "19cd7cb8b737391c1893041cc338e3f0632d8b5f55329421a17f77bf64c4ad53",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:13:11Z",
            "import_time": "2026-06-11T07:49:33.111680057Z"
        },
        {
            "id": "IN-MAL-2026-005614",
            "versions": [
                "0.1.1"
            ],
            "sha256": "610ffe4143722dcdfeb3d049bd8c58e4061386308e663fa30bf4e66ea30085d6",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:13:07Z",
            "import_time": "2026-06-11T07:49:32.876767331Z"
        },
        {
            "id": "IN-MAL-2026-005610",
            "import_time": "2026-06-11T07:49:32.385326037Z",
            "sha256": "737fede3d5b2007849cab0503cec191ce127c33c0b28f3b3285f347a064966e1",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:13:04Z",
            "versions": [
                "0.2.0"
            ]
        },
        {
            "id": "IN-MAL-2026-005611",
            "versions": [
                "0.2.1"
            ],
            "sha256": "96a398d34d95257b84af146f94611845bd6259dea411757c3439bab56a062a18",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:13:05Z",
            "import_time": "2026-06-11T07:49:32.527019873Z"
        },
        {
            "id": "IN-MAL-2026-005613",
            "import_time": "2026-06-11T07:49:32.728480979Z",
            "sha256": "9c432fae4dbe2d0a743896a087004cf27a0af9de6aee260c2cf0bc641d4e64d7",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:13:06Z",
            "versions": [
                "0.1.2"
            ]
        },
        {
            "id": "IN-MAL-2026-005609",
            "import_time": "2026-06-11T07:49:32.308543917Z",
            "sha256": "ca267e3c5c740cd5cd890f085b234f2fbe56734efaa3d91543ea4dd42c2643c1",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:13:03Z",
            "versions": [
                "0.2.4"
            ]
        },
        {
            "id": "IN-MAL-2026-005615",
            "import_time": "2026-06-11T07:49:33.028830172Z",
            "sha256": "e9a31c7cf630ff29db274913971222bd67481ca14a84f4820f2baff17f8327a2",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:13:08Z",
            "versions": [
                "0.1.0"
            ]
        },
        {
            "id": "IN-MAL-2026-005608",
            "import_time": "2026-06-11T07:49:32.221288594Z",
            "sha256": "f8475741df241619c65b6da1b848b004b8339a3531a1397fbdfb26406797964d",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:13:02Z",
            "versions": [
                "0.1.3"
            ]
        },
        {
            "id": "IN-MAL-2026-005612",
            "import_time": "2026-06-11T07:49:32.626851259Z",
            "sha256": "339af037f4255c3a8743ba7c80f3c4178b855a908a5b5cab6fc24fb9d0d3aa1a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:13:06Z",
            "versions": [
                "0.2.3"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / twilio-sdk

Package

Name: twilio-sdk; View open source insights on deps.dev
Purl: pkg:npm/twilio-sdk

Affected ranges

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "28a767c2a2579d8c8ad62e717d59dd2a0aad41410e65f308a4aa1a66c3cc380b",
            "tlsh": "16517b264e1444b91aeb2158973e784eaafff10708b59a403fada1842ff03531734ef4"
        },
        {
            "path": "package.json",
            "sha256": "29cc1e06399f85e7964b2406d184333ca21bd43eaf8e3d65cc3b21dd55e2b586",
            "tlsh": "e5e086104b224f3378c4ab990d676949a592581781547c2927ef11984b8d27a88ff22e"
        }
    ],
    "package_integrity": [
        {
            "filename": "twilio-sdk-0.2.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-xe+ZpznGn8jo8TUmCwvWr6cw5TidpLxupLwkPCkxv2NI0bYGQobdHJZiodr2aV6virhmr68hgCoF1qm3w/Mcow==",
                "sha1": "94c9f6dad0dbf77bc7235a7accde387af972f5cd"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/twilio-sdk/MAL-2026-5621.json"