Twilio's security team discovered a modified version of their TaskRouter JS SDK had been uploaded to the cloud, which could have allowed a malicious actor to inject code into customers' browsers. The modification was made by an individual using the TOR anonymizing network and was due to a misconfiguration in one of Twilio's S3 buckets that hosted the library. The attacker aimed to serve malicious advertising to users on mobile devices as part of a larger malvertising campaign associated with the Magecart group of attacks. Twilio quickly contained and remediated the incident, replacing the modified library and locking down the permissions on the affected S3 bucket. An investigation revealed that other buckets had improper write settings, but no customer data was accessed by the attacker. To prevent similar issues in the future, Twilio plans to restrict direct access to S3 buckets, improve monitoring of bucket policy changes, and provide integrity checking for customers. Users who downloaded a copy of v1.20 of the TaskRouter JS SDK between July 19th and July 20th should re-download and replace the old version with the updated one.