Trick or treat: that `twilio-npm` package is brandjacking malware in disguise!

As if the increasing attacks on the open source ecosystem and vulnerabilities making headlines weren’t scary enough events, this Halloween devs were exposed to another malicious trick

AWS Builder Community Hub

Fortunately, however, the malware that was disguised and lurking inside the npm open source registry, was rapidly detected by Sonatype’s Release Integrity malicious code detection service.

Released October 30th, the package `twilio-npm` has already scored 371 downloads over the Halloween weekend.

At the time of writing, the malicious package was still live on npm downloads.

This brandjacking discovery comes shortly after Sonatype’s Release Integrity identified typosquatting malware `electorn` in September. 

How did Sonatype spot `twilio-npm` malware?

Sonatype’s Release Integrity, which is part of our Advanced Development Pack for Nexus Lifecycle, is a proactive AI/ML based solution which regularly sweeps open source repositories for suspicious behavior and counterfeit components. It perpetually scans components mirrored from OSS repositories such as npm to determine if anything looks out of place.

That means anytime an author publishes a new component to npm, it’s picked up by our robot engine and analyzed, in near real-time. 

Based on a series of over 5 dozen “signals” or indicators such as how old the component is, the reputation of its author, and the nature of code contained within the component, our bots assign a probabilistic score. A higher score means it’s more likely that the package is malicious.

That’s how we spotted `twilio-npm` shortly after its release on the npm registry.

“Open source software is being published and consumed every day at an increasingly massive scale, yet most security protections still rely on community trust and human oversight — which can be easily abused. We knew we needed a safeguard for our customers that could work quickly and at an equally massive scale. With this (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: