A malicious package listed on the Node Package Manager registry has been discovered posing as a legitimate WhatsApp Web API library while secretly stealing user data and compromising accounts.
The package, named lotusbail, pretends to be a fork of the widely used WhiskeySockets Baileys project and offers the same expected functionality, making it difficult for developers to detect.
Security researchers say the package has been available on NPM for at least six months and has already been downloaded more than 56,000 times. Despite appearing legitimate, it was designed to collect sensitive information from WhatsApp accounts connected through it secretly.
According to researchers at supply chain security firm Koi Security, the package is capable of stealing WhatsApp authentication tokens and session keys. It can intercept and record all incoming and outgoing messages, as well as extract contact lists, media files, and shared documents. The malicious code works by wrapping the legitimate WebSocket connection used to communicate with WhatsApp, allowing it to monitor everything that passes through the application.
When a user authenticates their WhatsApp account, the malware captures the login credentials. It continues to monitor activity by recording messages as they are received or sent, all without the user’s knowledge. The stolen data is heavily protected using multiple layers of encryption and obfuscation before being sent to the attacker’s servers, making detection and analysis more difficult.
In addition to data theft, the package includes functionality that links the attacker’s device to the victim’s WhatsApp account using the platform’s device pairing feature. This allows the attacker to maintain access even after the malicious package is removed from the system. The unauthorized access remains active until the victim manually reviews and removes unknown linked devices from their WhatsApp settings.
Koi Security also found that the package uses dozens of infinite loop traps designed to block debugging attempts and delay security analysis. This tactic likely helped the malware remain undetected for months while continuing to spread.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Developers who may have installed the lotusbail package are strongly advised to remove it immediately and review their WhatsApp accounts for unfamiliar linked devices. Researchers warn that simply reviewing source code is no longer enough to ensure safety. They recommend monitoring runtime behavior, network activity, and authentication processes when adding new dependencies to detect suspicious behavior early.
