TL;DR
A malicious npm package called lotusbail, downloaded over 56,000 times and available for roughly six months, impersonated a WhatsApp Web API and exfiltrated authentication tokens, messages, contacts and media. Security researchers say the code works like a genuine library, captures traffic via WebSocket, encrypts and obfuscates stolen data, and can keep an attacker linked to a victim's WhatsApp account even after the package is removed.
What happened
Security researcher Tuval Admoni of Koi Security reported that an npm package named lotusbail posed as a usable WhatsApp Web API library while secretly duplicating and sending sensitive data to an attacker-controlled server. The library, a fork of the legitimate @whiskeysockets/baileys project, had been available for about six months and accumulated more than 56,000 downloads. Because it implements real send/receive functionality over a WebSocket wrapper, every WhatsApp authentication token, inbound and outbound message, contact list and media file that passes through the API can be intercepted. The malicious code prepares captured material using a custom RSA routine and then layers several obfuscation steps — Unicode mangling, LZString compression, Base-91 encoding and AES encryption — before exfiltration. The package also abuses WhatsApp’s device pairing process to link the attacker’s device to victims’ accounts, enabling persistent access even after the package is uninstalled. Researchers framed the incident as part of a rising supply-chain risk in the npm ecosystem.
Why it matters
- A working, functional library makes the malware more likely to be adopted and trusted by developers, increasing exposure.
- Exfiltration of auth tokens and messages can lead to full account takeover and privacy breaches for users and their contacts.
- The attack can persist through WhatsApp’s device pairing, allowing attackers continued access after package removal.
- This case highlights growing supply-chain threats within npm and mirrors recent large-scale malicious-package campaigns.
Key facts
- Malicious package name: lotusbail.
- Reported downloads: more than 56,000.
- Availability: present in the npm registry for roughly six months, according to Koi Security.
- Codebase: fork of the legitimate @whiskeysockets/baileys WhatsApp library.
- Mechanism: uses a WebSocket wrapper so all WhatsApp traffic passing through the library can be captured.
- Data stolen: authentication tokens, messages sent and received, full contact lists and media files.
- Exfiltration: data is encrypted with a custom RSA method and obscured via Unicode manipulation, LZString compression, Base-91 encoding and AES before being sent to an attacker server.
- Persistence: attackers link devices to victims through WhatsApp’s pairing process, which can maintain access after the malicious package is removed.
- Discovery and reporting: research and write-up published by Koi Security (Tuval Admoni).
- Context: follows other poisoned npm packages and large token-farming campaigns affecting the ecosystem.
What to watch next
- Whether the lotusbail package has been removed from the npm registry and any takedown details — not confirmed in the source.
- Disclosure or remediation steps from the maintainers of the Baileys library or npm — not confirmed in the source.
- Scope of victimization and whether specific accounts have been identified or notified — not confirmed in the source.
Quick glossary
- npm package: A bundle of JavaScript code and metadata distributed via the Node Package Manager (npm) registry for use in applications and projects.
- WebSocket: A protocol providing persistent, bidirectional communication between a client and server, often used for real-time messaging.
- Authentication token: A piece of data used to verify a user's identity and grant access to a service without repeatedly sending credentials.
- Device pairing: A process that links a secondary device to an account, allowing the linked device to access the same messages and features.
- Obfuscation: Techniques applied to code or data to make analysis and detection more difficult, often by transforming content into less recognizable forms.
Reader FAQ
Who discovered the malicious package?
Koi Security detected and reported the package; the researcher noted by name is Tuval Admoni.
Has the package been removed from npm?
not confirmed in the source
How does the malware persist after uninstall?
The package exploits WhatsApp’s device pairing to link an attacker’s device to the victim’s account, allowing ongoing access even if the package is removed.
Are specific victims or account compromises identified?
not confirmed in the source
CYBER-CRIME 20 Poisoned WhatsApp API package steals messages and accounts And it's especially dangerous because the code works Jessica Lyons Mon 22 Dec 2025 // 22:04 UTC A malicious npm package with more than…
Sources
- Poisoned WhatsApp API package steals messages and accounts
- Fake WhatsApp API Package on npm Steals Messages …
- WhatsApp API worked exactly as promised, and stole everything
- NPM Package With 56K Downloads Caught Stealing …
Related posts
- Pen testers say Eurostar accused them of ‘blackmail’ after chatbot flaws
- PRC-Nexus UNC6384 Campaign Hijacks Browsers, Delivers PlugX to Diplomats
- Mass Data Theft Hits Salesforce Instances Through Salesloft Drift Integration