NPM package with 56,000 downloads compromises WhatsApp accounts

AndyC 28 December 2025

NPM package with 56,000 downloads compromises WhatsApp accounts

NPM package with 56,000 downloads compromises WhatsApp accounts

NPM package with 56,000 downloads compromises WhatsApp accounts

NPM package with 56,000 downloads compromises WhatsApp accounts

Pierluigi Paganini
December 27, 2025

An NPM package with over 56,000 downloads stole WhatsApp credentials, hid its activity, and installed a backdoor.

Koi Security researchers warned that the NPM package ‘Lotusbail’, a WhatsApp Web API library and fork of ‘Baileys’, has been stealing users’ credentials and data.

The package has been available for six months and has had over 56,000 downloads. Lotusbail supports sending and receiving WhatsApp messages, wrapping the legitimate WebSocket client so all messages pass through it first, enabling the malicious capture of information.

The Lotusbail npm package works as a fully functional WhatsApp API, making it hard to detect because it is based on the legitimate Baileys library. It wraps WhatsApp’s WebSocket client, intercepting credentials, messages, contacts, and media while continuing normal operations.

All stolen data is encrypted with custom RSA before exfiltration, using heavily obfuscated, hidden server details. The malware also hijacks WhatsApp’s device pairing process with a hardcoded code, secretly linking the attacker’s device to the victim’s account.

“The malware hijacks this process with a hardcoded pairing code. The code is encrypted with AES and hidden in the package” reads the report published by Koi Security

NPM Package WhatsApp

“This means the threat actor has a key to your WhatsApp account. When you use this library to authenticate, you’re not just linking your application – you’re also linking the threat actor’s device. They have complete, persistent access to your WhatsApp account, and you have no idea they’re there.

The threat actor can read all your messages, send messages as you, download your media, access your contacts – full account control. “

Even after uninstalling the package, attacker access persists until devices are manually unlinked.

The package uses 27 anti-debugging traps that freeze execution when analysis tools are detected, checking for debuggers and sandboxes. The attackers even labeled malicious code sections with comments, showing a highly professional, well-organized approach to a sophisticated supply chain attack.

“Traditional security doesn’t catch this. Static analysis sees working WhatsApp code and approves it. Reputation systems see 56,000 downloads and trust it. The malware hides in the gap between “this code works” and “this code only does what it claims.” concludes the report. “Catching sophisticated supply chain attacks requires behavioral analysis – watching what packages actually do at runtime. When a WhatsApp library implements custom RSA encryption and includes 27 anti-debugging traps, those are signals. But you need systems watching for them.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , , ,

More Stories

Trust Wallet warns users to update Chrome extension after M security loss

Trust Wallet warns users to update Chrome extension after $7M security loss

AndyC 27 December 2025
Pro-Russian group Noname057 claims cyberattack on La Poste services

Pro-Russian group Noname057 claims cyberattack on La Poste services

AndyC 27 December 2025
Aflac confirms June data breach affecting over 22 million customers

Aflac confirms June data breach affecting over 22 million customers

AndyC 27 December 2025
Spotify cracks down on unlawful scraping of 86 million songs

Spotify cracks down on unlawful scraping of 86 million songs

AndyC 27 December 2025
Five-year-old Fortinet FortiOS SSL VPN vulnerability actively exploited

Five-year-old Fortinet FortiOS SSL VPN vulnerability actively exploited

AndyC 26 December 2025
The Complete Developer’s Guide to Essential Hackathon Software: 10 Categories That Separate Winners from Participants

High-severity MongoDB flaw CVE-2025-14847 could lead to server takeover

AndyC 26 December 2025

You may have missed

NPM package with 56,000 downloads compromises WhatsApp accounts

NPM package with 56,000 downloads compromises WhatsApp accounts

AndyC 28 December 2025
New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Memory

New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Memory

AndyC 28 December 2025
Trust Wallet warns users to update Chrome extension after M security loss

Trust Wallet warns users to update Chrome extension after $7M security loss

AndyC 27 December 2025
The Complete Developer’s Guide to Essential Hackathon Software: 10 Categories That Separate Winners from Participants

Randall Munroe’s XKCD ‘Bridge Clearance’

AndyC 27 December 2025
Pro-Russian group Noname057 claims cyberattack on La Poste services

Pro-Russian group Noname057 claims cyberattack on La Poste services

AndyC 27 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.