How do I see if it found a malicious package?

The output should be similar to this example (where I actually searched for express instead to demonstrate it).

What if a malicious package was detected?

You should immediately rotate all secrets that you have stored in the environment variables. If it’s a project that is shared with other folks don’t forget to alert them to do the same. Don’t forget that Continuous Integration systems and cloud hosts like to use environment variables as well. So if you shipped one of these projects into production or used a system that uses environment variables don’t forget to rotate them there as well.

It didn’t find any malicious packages so I’m good right?

Well this is just a list of packages that we know of but since the npm ecosystem is massive it’s hard to know if these were all. So if you want to be sure simply rotate the secrets nevertheless.

What if I found another malicious package?

If you found another malicious package make sure to report it to npm that it can be taken down as soon as possible. There is more information on how to contact them at on their website or simply shoot an email to security@npmjs.com.

Is there a way I can see if my Twilio account has been compromised?

If you discovered you used one of these libraries with an application using your Twilio Account Credentials you may want to check for unusual spike in product usage, such as phone calls or messages. Also make sure to change your secret or API Key/Secret depending on what you use.

In case you have any questions feel free to shoot me a message: