search

twilio / twilio-video-app-react

A collaboration application built with the twilio-video.js SDK and React.js
Apache License 2.0
1.8k stars 725 forks source link

Malware found upon npm install #776

Closed mrobert closed 1 year ago

mrobert commented 1 year ago

Severity: critical Malware in twilio-video-app-react - https://github.com/advisories/GHSA-6fpq-f494-hg4f

"Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it."

To Reproduce Steps to reproduce the behavior:

  1. Go to 'https://www.twilio.com/blog/open-source-video-apps-reactjs-ios-android' or follow along 'https://www.youtube.com/watch?v=pSASQcHrmPg'
  2. On command line, within cloned twilio-video-app-react directory, run 'npm install'
  3. Many vulnerabilities found with the malware above being the most critical.

Expected behavior Following along the tutorial without becoming compromised.

Screenshots I'm attaching the npm audit report after running 'npm audit fix --force'. npm-debug_twilio-video-app-react-vulnerabilities.log

Environment (please complete the following information):

mrobert commented 1 year ago

Thank you @manjeshbhargav !