top of page
perceptive_background_267k.jpg

Malicious npm package steals WhatsApp accounts and messages

Published:

22 december 2025 om 16:08:46

Alert date:

22 december 2025 om 17:02:36

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Supply Chain & Dependencies, Email & Messaging, Ransomware & Malware

A malicious package in the Node Package Manager (NPM) registry disguises itself as a legitimate WhatsApp Web API library. The package is designed to steal WhatsApp messages, collect contact information, and gain unauthorized access to WhatsApp accounts. This represents a supply chain attack targeting developers who unknowingly install the malicious package believing it to be a legitimate WhatsApp integration tool. The attack demonstrates how threat actors abuse trusted package repositories to distribute malware and steal sensitive communication data.

Technical details

A malicious npm package named 'lotusbail' poses as a legitimate WhatsApp Web API library based on the popular WhiskeySockets Baileys project. The package wraps the legitimate WebSocket client and intercepts all WhatsApp communications. It captures authentication tokens, session keys, messages, contact lists, media files and documents. The stolen data is encrypted using custom RSA implementation with multiple obfuscation layers including Unicode tricks, LZString compression, and AES encryption. The malware also performs device pairing to link the attacker's device to the victim's WhatsApp account for persistent access. The package uses 27 infinite loop traps to evade analysis and debugging.

Mitigation steps:

Remove the lotusbail package from systems immediately. Check WhatsApp account for unauthorized linked devices and manually remove them from WhatsApp settings. Monitor runtime behavior for unexpected outbound connections or activity during authentication flows with new dependencies. Do not rely solely on source code analysis - monitor actual runtime behavior to validate package safety.

Affected products:

Node Package Manager (NPM) registry
lotusbail npm package
WhatsApp Web API
WhiskeySockets Baileys project

Related links:

http://www.koi.ai/blog/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages

Related CVE's:

Related threat actors:

IOC's:

lotusbail npm package name, Custom RSA encryption implementation, Device pairing functionality, 27 infinite loop traps for evasion, Unexpected outbound connections during authentication flows

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page