NPM Package with 56K Downloads Caught Stealing WhatsApp Messages

Summary

The lotusbail npm package presents itself as a WhatsApp Web API library - a fork of the legitimate @whiskeysockets/baileys package. With over 56,000 downloads and functional code that actually works as advertised, it's the kind of dependency developers install without a second thought. The package has been available on npm for 6 months and is still live at the time of writing.Behind that working functionality: sophisticated malware that steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor's server.Koidex report for lotusbail packageWhat gets captured:Authentication tokens and session keysComplete message history (past and present)Full contact lists with phone numbersMedia files and documentsPersistent backdoor access to your WhatsApp accountHow It WorksThe Cover Is RealMost malicious npm packages reveal themselves quickly - they're typosquats, they don't work, or they're obviously sketchy. This one actually functions as a WhatsApp API. It's based on the legitimate Baileys library and provides real, working functionality for sending and receiving WhatsApp messages.Obvious malware is easy to spot. Functional malware? That gets installed, tested, approved, and deployed to production.The social engineering here is brilliant: developers don't look for malware in code that works. They look for code that breaks.The Theft and ExfiltrationThe package wraps the legitimate WebSocket client that communicates with WhatsApp. Every message that flows through your application passes through the malware's socket wrapper first.When you authenticate, the wrapper captures your credentials. When messages arrive, it intercepts them. When you send messages, it records them. The legitimate functionality continues working normally - the malware just adds a second recipient for everything.All your WhatsApp authentication tokens, every message sent or received, complete...