Cybersecurity

Fake Whatsapp API Package On Npm Steals Messages, Contacts, And...

2025-12-22 0 views admin
Fake Whatsapp API Package On Npm Steals Messages, Contacts, And...

Cybersecurity researchers have disclosed details of a new malicious package on the npm repository that works as a fully functional WhatsApp API, but also contains the ability to intercept every message and link the attacker's device to a victim's WhatsApp account.

The package, named "lotusbail," has been downloaded over 56,000 times since it was first uploaded to the registry by a user named "seiren_primrose" in May 2025. Of these, 711 downloads took place over the last week. The library is still available for download as of writing.

Under the cover of a functional tool, the malware "steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor's server," Koi Security researcher Tuval Admoni said in a report published over the weekend.

Specifically, it's equipped to capture authentication tokens and session keys, message history, contact lists with phone numbers, as well as media files and documents. More significantly, the library is inspired by @whiskeysockets/baileys, a legitimate WebSockets-based TypeScript library for interacting with the WhatsApp Web API.

This is accomplished by means of a malicious WebSocket wrapper through which authentication information and messages are routed, thereby allowing it to capture credentials and chats. The stolen data is transmitted to an attacker-controlled URL in encrypted form.

The attack doesn't stop there, for the package also harbors covert functionality to create persistent access to the victim's WhatsApp account by hijacking the device linking process by using a hard-coded pairing code.

"When you use this library to authenticate, you're not just linking your application -- you're also linking the threat actor's device," Admoni said. "They have complete, persistent access to your WhatsApp account, and you have no idea they're there."

By linking their device to the target's WhatsApp, it not only allows continued access to their contacts and conversations but also enables persistent access even after the package is uninstalled from the system, given the threat actor's device remains linked to the WhatsApp account until it's unlinked by navigating to the app's settings.

Koi Security's Idan Dardikman told The Hacker News that the malicious activity is triggered when the developer uses the library to connect to WhatsApp.

"The malware wraps the WebSocket client, so once you authenticate and sta

Source: The Hacker News

🏷️ Tags

cybersecuritysecurityhackmalwareattack

More from Cybersecurity

Nissan Says Thousands Of Customers Exposed In Red Hat Breach

Nissan Says Thousands Of Customers Exposed In Red Hat Breach

2025-12-22 0
New Macsync Malware Dropper Evades Macos Gatekeeper Checks 2025

New Macsync Malware Dropper Evades Macos Gatekeeper Checks 2025

2025-12-22 0
Interpol-led Action Decrypts 6 Ransomware Strains, Arrests Hundreds

Interpol-led Action Decrypts 6 Ransomware Strains, Arrests Hundreds

2025-12-22 0
Latest Uzbek Users Under Attack By Android Sms Stealers 2025

Latest Uzbek Users Under Attack By Android Sms Stealers 2025

2025-12-22 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views