VYPR

npm · Malicious package advisory

Malware

twilio-voice-js-reference-components

MAL-2026-6373

Malicious code in twilio-voice-js-reference-components (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a3a57b06daad43c269fe3846083da2fdce277fd1ff3a9399533072f6e894afc2)
Package impersonates the Twilio Voice JS SDK namespace and ships a single exfiltration payload. package.json declares "preinstall": "node index.js", causing index.js to run automatically on npm install with no user interaction. index.js requires os/fs/https, collects os.hostname(), os.userInfo(), the user's home directory, DNS server configuration, and reads /etc/passwd and /etc/hosts, then POSTs the collected data over HTTPS to kocxl3uxcqn73ybo0k9e4g6d74d41upj.oastify.com — a Burp Collaborator out-of-band probe subdomain controlled by the attacker. The package contains no real reference components, has empty author/description metadata, and the name closely mimics the legitimate Twilio Voice JS package — a typosquat / dependency-confusion lure aimed at Twilio-related build systems.

Compromised versions (1)

  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.