registry  /  twiliobox  /  1.0.0

twiliobox@1.0.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10593 confirms this npm version as malicious. On npm install, twiliobox@1.0.0 runs its declared postinstall script (node.init.js), which enumerates credential-shaped environment variables (NPM_TOKEN, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, STRIPE, DB, SSH, GCP, Azure, etc.), reads ~/.npmrc, ~/.env*, and ~/.config/* files matching token/credential/secret patterns, and collects host identifiers (os.hostname, os.platform, process.cwd, pid)...

Advisory
MAL-2026-10593
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in twiliobox (npm)
Details
On npm install, twiliobox@1.0.0 runs its declared postinstall script (node.init.js), which enumerates credential-shaped environment variables (NPM_TOKEN, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, STRIPE, DB, SSH, GCP, Azure, etc.), reads ~/.npmrc, ~/.env*, and ~/.config/* files matching token/credential/secret patterns, and collects host identifiers (os.hostname, os.platform, process.cwd, pid). The harvested data is POSTed via https.request to a hardcoded third-party endpoint at webhook.cool/at/tender-deer-80/hG-DWynJKenViD9XWI5Mf8CulD0I9G2s. The package name resembles the well-known 'twilio' library, consistent with a typosquat lure. Installing this package on a developer or CI machine causes automatic transmission of installer-side secrets to an attacker-controlled webhook.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 18 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.postinstall = node .init.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High1 Low
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present