NPM Package With 56,000 Downloads Steals WhatsApp Credentials, Data

A malicious NPM package that functions as a WhatsApp Web API library has been caught stealing users’ credentials and data, Koi Security warns.

The package, ‘Lotusbail’, a fork of the ‘Baileys’ library, has been available in the NPM repository for six months and has gathered over 56,000 downloads to date.

According to Koi, Lotusbail supports sending and receiving WhatsApp messages. It wraps the legitimate WebSocket client and every message goes through the wrapper first.

This means that the wrapper captures users’ credentials, as well as all incoming and outgoing messages, and delivers all the information to the malware operator.

“All your WhatsApp authentication tokens, every message sent or received, complete contact lists, media files – everything that passes through the API gets duplicated and prepared for exfiltration,” Koi says.

The package encrypts all the collected information using a custom RSA implementation before transmission, to evade detection.

Additionally, the malware was observed hijacking WhatsApp’s device pairing process to add the attacker’s own device and gain backdoor access to a victim’s account.

“When you use this library to authenticate, you’re not just linking your application – you’re also linking the threat actor’s device. They have complete, persistent access to your WhatsApp account, and you have no idea they’re there,” Koi notes.

Uninstalling the malicious package, Koi explains, is not enough to remove the attackers’ access. Victims need to manually unlink all devices from WhatsApp’s settings.

The Lotusbail NPM package, the cybersecurity firm notes, is part of a sophisticated supply chain attack that also includes dozens of checks for debuggers, sandboxes, and other analysis tools, to evade traditional detection.

This article was published by Security Week. Please check your website for the original content.