A fraudulent package discovered in the Node Package Manager registry has been posing as a legitimate utility for interacting with the WhatsApp Web API. The package, published under the name lotusbail, is a modified version of the widely used WhiskeySockets Baileys project. For over six months, it remained undetected while accumulating more than 56,000 downloads. Security researchers found that while the package provides the expected technical functionality, it simultaneously works in the background to compromise user privacy and account security.

The malware operates by wrapping the standard WebSocket client that handles communication between an application and WhatsApp servers. Because it sits directly on the communication path, the package can intercept every piece of data flowing through the application. This allows the attackers to capture authentication tokens, session keys, and the entirety of a user's message history. It also systematically collects sensitive information such as media files, documents, and complete contact lists from the infected account.

To prevent detection by security tools and manual code reviews, the developers of lotusbail utilized sophisticated concealment techniques. The stolen data is processed through multiple layers of encryption and obfuscation, including custom RSA implementations, AES encryption, and Unicode manipulation. Furthermore, the code contains dozens of infinite loop traps designed to crash debugging tools and frustrate researchers attempting to analyze its behavior. These barriers allowed the malicious code to stay active in the registry for an extended period without raising alarms.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

Beyond simple data theft, the package includes a mechanism to link the attacker’s own hardware to the victim’s WhatsApp account during the initial pairing process. This creates a persistent connection that functions independently of the malicious library itself. Even if a developer realizes the package is compromised and deletes it from their project, the attacker maintains full access to the WhatsApp account as a linked device. This access only ends if the victim manually identifies and removes the unauthorized device through their mobile application settings.

Experts advise developers who have interacted with this library to immediately audit their WhatsApp linked devices and terminate any unrecognized sessions. Because the malicious logic was hidden through complex obfuscation, simply reading the source code of new dependencies is often insufficient for ensuring safety. Instead, the security community recommends monitoring the runtime behavior of applications for unexpected outbound connections or suspicious activity during the authentication phase when integrating new third-party libraries.

Source: Malicious Npm Package Steals Whatsapp Accounts And Messages