A dangerous npm package named “lotusbail” has been stealing WhatsApp messages and user data from thousands of developers worldwide.
The package, which has been downloaded over 56,000 times, disguises itself as a legitimate WhatsApp Web API library while secretly running malware in the background.
It presents itself as a fork of the trusted “@whiskeysockets/baileys” package, making it appear safe to developers who need WhatsApp integration tools.
The malware is particularly dangerous because it actually works as advertised. Unlike most malicious packages that break or fail quickly, lotusbail delivers real functionality for sending and receiving WhatsApp messages.
This clever approach allows it to pass code reviews and be deployed to production systems without raising suspicion. Developers install it, test it, see that it works, and never realize the theft happening behind the scenes.
.webp "Malicious NPM Package with 56K Downloads Steals WhatsApp Messages 2")
The package has remained active on npm for six months and was still available at the time of discovery.
During this period, it has been silently collecting authentication tokens, message histories, contact lists, media files, and maintaining persistent backdoor access to infected WhatsApp accounts.
Koi analysts identified the sophisticated malware campaign after detecting unusual behavioral patterns during runtime analysis of the package.
The stolen information includes complete WhatsApp session keys, all past and present messages, full contact directories with phone numbers, and any media or documents shared through the application.
The malware captures this data by wrapping the legitimate WebSocket client that connects to WhatsApp servers, essentially creating a man-in-the-middle attack that duplicates everything passing through the connection.
Data Theft and Encryption Mechanism
The malware uses a custom RSA encryption system to hide stolen data before sending it to the attacker’s server.
.webp "Malicious NPM Package with 56K Downloads Steals WhatsApp Messages 4")
This is a major red flag because legitimate WhatsApp libraries never need additional encryption since WhatsApp already provides end-to-end encryption.
The custom crypto layer exists solely to encrypt stolen data so network monitoring tools cannot detect the theft.
The exfiltration server address is hidden through four layers of protection: Unicode variable manipulation, LZString compression, Base-91 encoding, and AES encryption.
.webp "Malicious NPM Package with 56K Downloads Steals WhatsApp Messages 5")
This makes it extremely difficult to trace where the stolen data is being sent. The malware also hijacks WhatsApp’s device pairing system by using a hardcoded pairing code encrypted with AES.
This means the attacker can link their own device to victim accounts, giving them complete control even after the malicious package is removed from the system.
To avoid detection, the package includes 27 infinite loop traps that activate when debugging tools are present, making analysis extremely difficult for security researchers.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
