Trick or treat: That `twilio-npm` package is brandjacking malware in disguise!

November 02, 2020 By Ax Sharma

5 minute read time

As if the increasing attacks on the open source ecosystem and vulnerabilities making headlines weren't scary enough events, this Halloween devs were exposed to another malicious trick.

Fortunately, however, the malware that was disguised and lurking inside the npm open source registry, was rapidly detected by Sonatype's Release Integrity malicious code detection service.

Released October 30, 2020, the package `twilio-npm` has already scored 371 downloads over the Halloween weekend.

At the time of writing, the malicious package was still live on npm downloads.

This brandjacking discovery comes shortly after Sonatype's Release Integrity identified typosquatting malware `electorn` in September.

How did Sonatype spot `twilio-npm` malware?

Sonatype's Release Integrity, which is part of our Advanced Development Pack for Sonatype Lifecycle, is a proactive AI/ML based solution which regularly sweeps open source repositories for suspicious behavior and counterfeit components. It perpetually scans components mirrored from OSS repositories such as npm to determine if anything looks out of place.

That means anytime an author publishes a new component to npm, it's picked up by our robot engine and analyzed, in near real-time.

Based on a series of over 5 dozen "signals" or indicators such as how old the component is, the reputation of its author, and the nature of code contained within the component, our bots assign a probabilistic score. A higher score means it's more likely that the package is malicious.

That's how we spotted `twilio-npm` shortly after its release on the npm registry.

"Open source software is being published and consumed every day at an increasingly massive scale, yet most security protections still rely on community trust and human oversight -- which can be easily abused. We knew we needed a safeguard for our customers that could work quickly and at an equally massive scale. With this latest finding we've proven it can be done successfully," said AJ Brown, Product Manager at Sonatype.

What's inside `twilio-npm`?

Hint: Not a Twilio client, that's for sure! 

There exist multiple legitimate packages on the npm registry related to or representing the official Twilio service. All of which are not malicious and good to use. Twilio is not involved and has nothing to do with this attempt at brandjacking.

Twilio is a leading cloud communications platform-as-a-service that enables developers to build VoIP-based applications capable of programmably placing and receiving telephone calls and text messages.

The official twilio npm package gets downloaded close to half-a-million times weekly.

Its sheer popularity explains why threat actors might be interested in tricking Twilio developers with an identically named counterfeit component.

The counterfeit `twilio-npm` package is a single-file malware and has three versions available to download, from 1.0.0 to 1.0.2. All three versions appear to have been released the same day, October 30, 2020.

Version 1.0.0 doesn't accomplish much. It comprises just a tiny manifest file, package.json which pulls a resource located at an ngrok subdomain.

ngrok is a legitimate service that devs use when test driving their app; specifically to open up connections to their "localhost" server applications behind a NAT or firewall.

At the time of our testing, accessing the URL throws, "Tunnel bab22984bca5.ngrok.io not found."

Twilio_1Twilio-npm malware spotted by Sonatype’s automated detection systems
Source: Sonatype 

Starting with version 1.0.1 and 1.0.2 however, the same manifest has its postinstall script modified to carry out a sinister task.

Twilio_2Versions 1.0.1 and 1.0.2 of twilio-npm malware launch reverse shell to an ngrok subdomain
Source: Sonatype

As soon as one of these versions of  `twilio-npm` is installed on Unix-based systems, a TCP reverse shell is launched in the background to an external server: `4.tcp.ngrok[.]io:11425`.

This effectively opens a backdoor on the user's machine giving the attacker control of the compromised machine and Remote Code Execution (RCE) capabilities.

Now, ngrok's use case in this context becomes more clear: To get a reverse shell on the victim's machine without worrying about a NAT or firewall.

Why are brandjacking attacks concerning?

Typosquatting and brandjacking attacks that capitalize on an existing brand are harmful for the brand itself whose product is being imitated, its customers, and the developers pulling these open source packages into their software supply chains.

An unsuspecting developer mistaking `twilio-npm` for the official Twilio npm client puts not only themselves at risk to be compromised, but extends the ability for the attackers to cast their net "downstream."

That is, any customer or developer who includes a NodeJS package in their development project which uses an infected package as a dependency is now infected too. In theory, this cycle could continue to cascade down multiple levels, if the counterfeit component remains undetected.

Brandjacking attacks on the open source ecosystem have been rising exponentially.

Sonatype's report of `twilio-npm` follows shortly after npm removed a malicious package, in mid-October, that impersonated a "Slack client" but in effect launched reverse shells on Windows and Linux machines.

Indicators of Compromise (IoCs)

bab22984bca5.ngrok[.]io
4.tcp.ngrok[.]io:11425

Timeline

Sonatype's timeline related to the malicious package's discovery and reporting is as follows:

    1. October 30, 2020: Malicious package `twilio-npm` is published to npm registry.
    2. October 31, 2020: Within a few hours of the package's release, Sonatype's automated malware detection bots ingest the package and flag it as suspicious. The malicious package is assigned identifier sonatype-2020-1058.
    3. November 2, 2020: Public disclosure via blog post and to npm and ngrok.

Our reason for the public disclosure centers on the fact that the package is already live on NPM and has secured hundreds of downloads in real-time. Those who install this package inadvertently are already at the risk of compromising their machines and software supply chains. Therefore, the standard vulnerability disclosure timelines would not apply in this case.

Based on the visibility we have, no Sonatype customers have downloaded this package and our customers remain protected against counterfeit components like `twilio-npm`.

Sonatype's world-class open source intelligence, which includes our automated malware detection technology, safeguards your developers, customers, and software supply chains from infections like these.

If you're not a Sonatype customer and want to find out if your code is vulnerable, you can use Sonatype's free Sonatype Vulnerability Scanner to find out quickly.

Visit the Intelligence Insights page for a deep dive into other vulnerabilities like this one or subscribe to automatically receive intelligence insights hot off the press.

Tags: vulnerabilities, featured, Product, malicious code npm

Written by Ax Sharma

Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.