Malicious npm package posing as a WhatsApp Web API library operated for months as a functional dependency while stealing messages and maintaining persistence.

InfoWorld is a source of news, analysis, and commentary on technology trends, IT strategies, and business innovation. With a focus on enterprise technology and digital transformation, InfoWorld offers insights and guidance for IT decision-makers, software developers, and technology professionals. From  articles on cloud computing and cybersecurity to product reviews and industry trends, InfoWorld helps readers navigate the complexities of modern IT environments and make informed decisions to drive business success.

InfoWorld

A malicious npm package called "lotusbail" masqueraded as a legitimate WhatsApp Web API library for six months, accumulating over 56,000 downloads. The package functioned correctly while secretly stealing messages, credentials, and contact data through a proxy layer that intercepted all operations. It used four layers of obfuscation and RSA encryption to exfiltrate data to attacker-controlled servers. Most critically, it exploited WhatsApp's multi-device pairing to maintain persistent access even after package removal, requiring manual device unlinking. The package remains available on npm, highlighting the limitations of traditional security checks against supply-chain attacks that mimic legitimate behavior.

WhatsApp API worked exactly as promised, and stole everything

That’s such terrible news.
npm is too big for maintainers to even address all the issues.

What’s sad is that WhatsApp prides itself on its end-to-end encryption, making users feel comfortable sharing sensitive information back and forth. Very disheartening news to see.