top of page
Search

NPM package with 56,000 downloads compromises WhatsApp accounts

  • Dec 27, 2025
  • 2 min read

Key Findings


  • An NPM package named 'Lotusbail' with over 56,000 downloads has been stealing WhatsApp credentials and data

  • The package is a fork of the legitimate 'Baileys' WhatsApp Web API library, making it hard to detect

  • It intercepts and exfiltrates user credentials, messages, contacts, and media, encrypting the data with custom RSA before sending it to the attacker

  • The malware also hijacks the WhatsApp device pairing process, secretly linking the attacker's device to the victim's account


Background


The 'Lotusbail' NPM package is a WhatsApp Web API library that has been available for six months and has had over 56,000 downloads. It is a fork of the legitimate 'Baileys' library, which is a popular open-source WhatsApp API.


Credential and Data Theft


The Lotusbail package works as a fully functional WhatsApp API, wrapping the legitimate WebSocket client so that all messages pass through it first. This enables the malicious capture of user information, including credentials, messages, contacts, and media.


Persistent Account Access


The malware hijacks the WhatsApp device pairing process with a hardcoded code, secretly linking the attacker's device to the victim's account. This provides the attacker with persistent, full access to the victim's WhatsApp account, even after the package is uninstalled.


Anti-Analysis Techniques


The package employs 27 anti-debugging traps that freeze execution when analysis tools are detected, checking for debuggers and sandboxes. The attackers have also labeled malicious code sections with comments, indicating a highly professional and well-organized approach to this sophisticated supply chain attack.


Detection Challenges


Traditional security measures, such as static analysis and reputation systems, are unable to detect this type of attack, as the malware hides in the gap between "this code works" and "this code only does what it claims." Behavioral analysis is required to identify the suspicious activities, such as custom encryption and anti-debugging measures.


Sources


  • https://securityaffairs.com/186174/malware/npm-package-with-56000-downloads-compromises-whatsapp-accounts.html

  • https://x.com/shah_sheikh/status/2004853376081596628

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page