Cybersecurity researchers from Koi Security have issued a major warning for anyone building or using applications that connect to WhatsApp. Their research has identified a popular piece of code that turned out to be a Trojan horse designed to hijack accounts and steal private data.
The malicious package, named lotusbail, was downloaded over 56,000 times since May 2025. To appear legitimate, the developers behind it “inspired” their code by copying a trusted library called @whiskeysockets/baileys. This functional cover is exactly why it was installed, tested, and deployed by developers for six months without suspicion.
How the Deception Worked
According to the technical report authored by Koi Security researcher Tuval Admoni, the malware acts like a live wiretap. Instead of just running the standard connection code, lotusbail inserts a hidden wrapper around the communication channel (known as a WebSocket). This allows it to silently duplicate and intercept:
- Private Data: Full contact lists, media files, and sensitive documents.
- Complete History: Every message sent or received, past and present.
- Authentication Tokens: Digital keys that provide access without a password.
Further probing revealed a highly organised defence mechanism. To hide its tracks, the malware uses custom RSA encryption to scramble stolen data, preventing network security tools from flagging it as it leaves the system. For your information, legitimate WhatsApp tools don’t need this because the app already uses its own protection.
To make things even harder for experts, they built in 27 different traps, which refer to infinite loops of code designed to freeze the program instantly if it detects anyone trying to investigate it.
The Backdoor That Stays Open
The most alarming detail is how the attackers maintain permanent access. During the setup phase, the malware hijacks the official WhatsApp pairing process. Instead of just connecting the developer’s application, it secretly uses a hardcoded pairing code to link the attacker’s own device to the victim’s account.
“This means the threat actor has a key to your WhatsApp account. When you use this library to authenticate, you’re not just linking your application – you’re also linking the threat actor’s device. They have complete, persistent access to your WhatsApp account, and you have no idea they’re there,” Admoni explained.
As we know it, once a device is linked to your WhatsApp, it stays there. Even if you delete the lotusbail code, the attacker remains logged in via WhatsApp’s own internal system. To truly kick them out, you must manually go into your WhatsApp settings on your phone, select “Linked Devices,” and log out of any sessions you don’t recognise.
The lesson here is simple: code that “works” isn’t necessarily safe. Traditional security often misses these functional traps, so always verify the origin of a tool before granting it access to your private data.
Expert commentary:
Reflecting on this finding, James Wickett, CEO of DryRun Security, shared his insights with hackread.com, stating, “Backdoors don’t just happen to other people. They happen inside real organisations, often through code that looks legitimate at first glance. Sometimes it’s a malicious dependency, sometimes it’s copied or AI-generated code, and sometimes it’s an internal actor abusing trust.”
“As development accelerates, security teams need visibility into what’s being added to the codebase and the ability to flag suspicious behaviour early, so risky changes get reviewed before they turn into credential theft or persistent access in production,” Wickett advised developers and security experts.