Key Findings:

• A malicious npm package named "lotusbail" has been discovered that poses as a functional WhatsApp API, but actually steals users' messages, contacts, and login tokens.

• The package has been downloaded over 56,000 times since it was first uploaded in May 2025.

• The package is designed to capture authentication tokens, session keys, message history, contact lists, media files, and documents, and transmit the stolen data to an attacker-controlled server.

• The package also contains a feature to hijack the device linking process, allowing the attacker to persistently access the victim's WhatsApp account even after the package is uninstalled.

• The malware employs anti-debugging capabilities to evade detection and analysis.

Background

The malicious package, "lotusbail," is inspired by the legitimate WebSockets-based TypeScript library "@whiskeysockets/baileys" for interacting with the WhatsApp Web API. The attacker has created a malicious WebSocket wrapper through which authentication information and messages are routed, allowing them to capture credentials and chats.

Stolen Data and Persistent Access

The stolen data includes authentication tokens, session keys, message history, contact lists with phone numbers, as well as media files and documents. Additionally, the package contains a feature to hijack the device linking process, enabling the attacker to persistently access the victim's WhatsApp account even after the package is uninstalled.

Evasion Tactics

The malware employs anti-debugging capabilities that cause it to enter an infinite loop trap when debugging tools are detected, effectively freezing the execution and evading analysis.

Supply Chain Attacks Evolving

The researchers note that this incident highlights the ongoing challenges in addressing supply chain attacks, as traditional security measures are often unable to detect such sophisticated malware hidden within seemingly legitimate code. The malware takes advantage of the gap between "this code works" and "this code only does what it claims."

Similar Malicious Campaigns

In a related development, ReversingLabs has also disclosed details of 14 malicious NuGet packages that impersonate Nethereum, a .NET integration library for the Ethereum blockchain, and other cryptocurrency-related tools. These packages are designed to redirect transaction funds to attacker-controlled wallets or exfiltrate private keys and seed phrases.

Sources

• https://thehackernews.com/2025/12/fake-whatsapp-api-package-on-npm-steals.html

• https://www.reddit.com/r/SecOpsDaily/comments/1pt6bfu/fake_whatsapp_api_package_on_npm_steals_messages/

• https://x.com/shah_sheikh/status/2003155265554616752

• https://www.instagram.com/p/DSkqCp9Dzd8/