A malicious package has been detected in the Node Package Manager (NPM) registry posing as a legitimate WhatsApp Web API library, when in reality it is designed to steal WhatsApp messages, collect contacts, and gain unauthorized access to accounts.
This threat poses a critical risk to both developers and businesses that integrate such libraries into their applications. The package, identified as a fork of the open-source WhiskeySockets Baileys project, offers seemingly legitimate functionality, which allowed it to operate undetected for months.
Published on NPM under the name lotusbail, it remained available for at least six months and accumulated over 56,000 downloads, significantly increasing the reach and potential impact of this threat. In light of this, TecnetOne strongly recommends strengthening security strategies and dependency controls in development environments.
Lotusbail package on NPM (Source: BleepingComputer)
How the Malicious NPM Package Steals WhatsApp Data
Researchers at Koi Security identified the malicious package and confirmed that it was capable of stealing WhatsApp authentication tokens and session keys, as well as intercepting and logging all incoming and outgoing messages. The analysis also revealed the exfiltration of contact lists, media files, and documents, broadening the threat’s impact on users’ sensitive information.
According to the researchers, the package wraps the legitimate WebSocket client used for communication with WhatsApp, allowing it to act as a man-in-the-middle for all traffic. This means every message flowing through the application first passes through the malicious layer, enabling the capture of credentials during the authentication process, the interception of received messages, and the logging of sent messages — all without triggering any visible alerts to the user.
Code used to capture data (Source: Koi Security)
The information captured by the package is not sent in plain text. Before leaving the system, the data passes through multiple layers of encryption and obfuscation, combining techniques such as custom RSA encryption, Unicode character tricks, compression, and AES encryption. All of this serves a clear purpose: to make detection and analysis of the data theft significantly more difficult.
But the problem doesn’t end there. In addition to stealing data, the malicious package includes code that links the attacker’s device to the victim’s WhatsApp account using the standard device pairing process. This allows the attacker to maintain persistent access to the account, even if the malicious NPM package has already been removed from the project.
In practice, access is only lost when the victim manually checks their WhatsApp settings and removes unrecognized linked devices — something most users rarely do.
To remain hidden for so long, the package uses multiple techniques designed to hinder debugging, such as infinite loop traps that complicate analysis of the code’s real behavior. These mechanisms help explain how the threat was able to go unnoticed for months.
Read more: DroidLock: New Malware Locks Your Phone and Demands a Ransom
How to Detect and Mitigate Risks in NPM Dependencies
In light of this situation, TecnetOne's recommendation for developers is clear: immediately remove the package from your environment, check for any unauthorized linked devices in your WhatsApp account, and exercise extreme caution when adding new dependencies to your projects.
Beyond a superficial review of the source code, it's crucial to analyze the actual behavior of libraries at runtime. Monitoring unexpected outbound connections, processes triggered during authentication, or real-time anomalous behavior can make the difference in detecting these threats early and preventing greater impact — a fundamental practice in any solid cybersecurity strategy like the one we promote at TecnetOne.