The npm security team has removed a malicious JavaScript library posing as a Twilio-related library from the npm website because it contained a malicious code for introducing backdoors on users’ computers.
The said library named “twilio-npm” was published on October 30 to npm registry and was removed within a few hours of the package’s release. However, despite the short-term presence on the npm portal, the malicious library has amassed more than 500 downloads and has been automatically included in JavaScript projects built and managed via the npm (Node Package Manager) command-line utility.
The malicious code discovered in the tainted Twilio library opened a TCP reverse shell on all machines wh ere the library was downloaded and imported inside JavaScript/npm/Node.js projects. The reverse shell opened a connection to “4.tcp.ngrok[.]io:11425”, which provided a backdoor on the user’s machine giving the attacker control of the compromised machine and Remote Code Execution (RCE) capabilities. According to the researchers, the reverse shell only worked on UNIX-based operating systems.
This issue is tracked in our database as SB2020110220.
Last month, the npm security team removed four npm packages containing malicious code that collected the user’s IP address, geolocation and device hardware data and uploaded the info to a public GitHub page.