top of page
perceptive_background_267k.jpg

Fake WhatsApp API Package on npm Steals Messages, Contacts, and Login Tokens

Published:

22 december 2025 om 16:28:00

Alert date:

22 december 2025 om 18:02:16

Source:

thehackernews.com

Click to open the original link from this advisory

Supply Chain & Dependencies, Email & Messaging, Ransomware & Malware

A malicious npm package named 'lotusbail' was discovered that functions as a WhatsApp API while secretly intercepting messages, contacts, and login tokens. The package has been downloaded over 56,000 times since being uploaded to the npm repository. It can link an attacker's device to a victim's WhatsApp account, providing full access to their communications. This represents a significant supply chain attack targeting developers using npm packages for WhatsApp integration.

Technical details

The malicious npm package 'lotusbail' functions as a working WhatsApp API but contains hidden malware. It uses a malicious WebSocket wrapper to intercept authentication tokens, session keys, message history, contact lists, and media files. The package is inspired by the legitimate '@whiskeysockets/baileys' library. It hijacks the device linking process using a hard-coded pairing code, allowing persistent access to WhatsApp accounts even after package uninstallation. The malware includes anti-debugging capabilities that create infinite loop traps when debugging tools are detected. Data is encrypted and transmitted to attacker-controlled servers.

Mitigation steps:

Check WhatsApp settings to unlink any unknown devices that may have been connected through the malicious package. Uninstall the lotusbail package if installed. Review linked devices in WhatsApp settings and remove any unauthorized connections. Implement supply chain security measures to verify package authenticity before installation. Use static analysis tools that can detect behavioral anomalies beyond functional code verification.

Affected products:

npm package lotusbail
WhatsApp Web API
NuGet packages: binance.csharp
bitcoincore
bybitapi.net
coinbase.net.api
googleads.api
nbitcoin.unified
nethereumnet
nethereumunified
netherŠµum.all
solananet
solnetall
solnetall.net
solnetplus
solnetunified
Nethereum .NET integration library
Google Ads OAuth

Related links:

https://www.npmjs.com/package/lotusbail
https://npm-stat.com/charts.html?package=lotusbail
https://www.koi.ai/blog/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages
https://www.npmjs.com/package/@whiskeysockets/baileys
https://thehackernews.com/2025/12/threatsday-bulletin-whatsapp-hijacks.html#whatsapp-hijack-campaign
https://www.reversinglabs.com/blog/nuget-malware-crypto-oauth-tokens

Related CVE's:

Related threat actors:

IOC's:

lotusbail npm package, seiren_primrose (npm user), Hard-coded pairing codes for device linking, Malicious WebSocket wrapper, Anti-debugging infinite loop mechanisms, binance.csharp, bitcoincore, bybitapi.net, coinbase.net.api, googleads.api, nbitcoin.unified, nethereumnet, nethereumunified, netherŠµum.all, solananet, solnetall, solnetall.net, solnetplus, solnetunified

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page