this is exactly why SRI is so important
I'm assuming that Twilio weren't serving their SDK directly from the unsecured S3 bucket and therefore that this was some sort of internal copy. If, by chance, it were the master copy and the change went undetected and was then made public via the official route, the malicious code would have been included in the hash.
SRI can detect changes made after code has been published; if the code has been changed by the back door before it's published, it doesn't really help. That's not to say you shouldn't use it for the cases it covers.