{"id":"MAL-2026-10593","summary":"Malicious code in twiliobox (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1a94eb66c6d3f03cf5b4e2e13527b9ab9bcb1ae85e75b62f79f58e225b941970)\nOn npm install, twiliobox@1.0.0 runs its declared postinstall script (node.init.js), which enumerates credential-shaped environment variables (NPM_TOKEN, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, STRIPE, DB, SSH, GCP, Azure, etc.), reads ~/.npmrc, ~/.env*, and ~/.config/* files matching token/credential/secret patterns, and collects host identifiers (os.hostname, os.platform, process.cwd, pid). The harvested data is POSTed via https.request to a hardcoded third-party endpoint at webhook.cool/at/tender-deer-80/hG-DWynJKenViD9XWI5Mf8CulD0I9G2s. The package name resembles the well-known 'twilio' library, consistent with a typosquat lure. Installing this package on a developer or CI machine causes automatic transmission of installer-side secrets to an attacker-controlled webhook.\n","modified":"2026-07-14T14:49:16.376085990Z","published":"2026-07-14T13:59:56Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-07-14T13:59:56Z","sha256":"1a94eb66c6d3f03cf5b4e2e13527b9ab9bcb1ae85e75b62f79f58e225b941970","source":"amazon-inspector","versions":["1.0.0"],"id":"IN-MAL-2026-010515","import_time":"2026-07-14T14:37:52.478878888Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/twiliobox/v/1.0.0"}],"affected":[{"package":{"name":"twiliobox","ecosystem":"npm","purl":"pkg:npm/twiliobox"},"versions":["1.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"path":".init.js","sha256":"6eb3939e40f85d1c3f591a3cd3a3edf0fd00c9b09fd7cb48f62e11edca3219b2","tlsh":"d9513181849e521310db2af168034c00a67ee59b3435e6e17e8f02249fddc6c85b3fbd"}],"package_integrity":[{"filename":"twiliobox-1.0.0.tgz","hashes":{"sha512_sri":"sha512-K7Nz+Oif7pnCAbOe34j0ovvTloJg9XLtgMS9is+tgyVQZdjpl5n6H3LnqRfupw5IwGBNQqG+8XS/Wco4D+Y9XQ==","sha1":"3c13df50decd565300f2d58004068035d2dd1395"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/twiliobox/MAL-2026-10593.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}