A harmful package hosted on the Node Package Manager (NPM) registry has been found impersonating a genuine WhatsApp Web API library, with the intent to spy on user activity. Disguised as a legitimate developer tool, the package is designed to siphon WhatsApp messages, harvest contact details, and ultimately take control of user accounts.
The threat originates from a fork of the widely used WhiskeySockets Baileys project. While it offers the same expected functionality, the compromised package was published on npm under the name lotusbail and has been available for at least six months, during which it was downloaded over 56,000 times.
The issue was uncovered by researchers at supply-chain security firm Koi Security. Their analysis revealed that the package is capable of capturing WhatsApp authentication tokens and session keys, monitoring all incoming and outgoing messages, and extracting sensitive data such as contact lists, media, and shared documents.
"The package wraps the legitimate WebSocket client that communicates with WhatsApp. Every message that flows through your application passes through the malware's socket wrapper first," the researchers explain.
"When you authenticate, the wrapper captures your credentials. When messages arrive, it intercepts them. When you send messages, it records them."
According to the researchers, the stolen data is protected before exfiltration using a custom RSA-based encryption scheme combined with several layers of obfuscation. These techniques include Unicode manipulation, LZString compression, and AES encryption, making detection and analysis significantly more difficult.
Beyond data theft, the malicious code also secretly pairs the attacker’s device with the victim’s WhatsApp account using WhatsApp’s own device-linking mechanism. This allows long-term access to the account even if the infected NPM package is later removed. The unauthorized access persists until the victim manually reviews and removes unknown linked devices from their WhatsApp settings.
Koi Security also noted that lotusbail employs 27 infinite loop traps to frustrate debugging efforts, a tactic that likely helped it evade detection for an extended period.
Developers who may have installed the package are strongly advised to uninstall it immediately and review their WhatsApp accounts for any unfamiliar linked devices. Koi Security further warns that simply scanning source code is insufficient; developers should also observe runtime behavior, watching for suspicious outbound connections or abnormal activity during authentication when introducing new dependencies.
