NPM Package With 56K Downloads Caught Stealing WhatsApp Messages

The Koidex report for lotusbail package lotusbail npm package presents itself as a WhatsApp Web API library - a fork of the legitimate @whiskeysockets/baileys package. With over 56,000 downloads and functional code that actually works as advertised, it's the kind of dependency developers install without a second thought. The package has been available on npm for 6 months and is still live at the time of writing. Behind that working functionality: sophisticated malware that steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor's server. What gets captured: Authentication tokens and session keys Complete message history (past and present) Full contact lists with phone numbers Media files and documents Persistent backdoor access to your WhatsApp account How It Works The Cover Is Real Most malicious npm packages reveal themselves quickly - they're typosquats, they don't work, or they're obviously sketchy. This one actually functions as a WhatsApp API. It's based on the legitimate Baileys library and provides real, working functionality for sending and receiving WhatsApp messages. Obvious malware is easy to spot. Functional malware? That gets installed, tested, approved, and deployed to production. The social engineering here is brilliant: developers don't look for malware in code that works. They look for code that breaks. The Theft and Exfiltration The package wraps the legitimate WebSocket client that communicates with WhatsApp. Every message that flows through your application passes through the malware's socket wrapper first. When you authenticate, the wrapper captures your credentials. When messages arrive, it intercepts them. When you send messages, it records them. The legitimate functionality continues working normally - the malware just adds a second recipient for everything. All your WhatsApp authentication tokens, every message sent or received, complete contact lists, media files - everything that passes through the API gets duplicated and prepared for exfiltration. But the stolen data doesn't get sent in plain text. The malware includes a complete, custom RSA implementation for encrypting the data before transmission: Why implement custom RSA? Because legitimate WhatsApp libraries don't need custom encryption - WhatsApp already handles end-to-end encryption. The custom crypto exists for one reason: to encrypt stolen data before exfiltration so network monitoring won't catch it. The exfiltration server URL is buried in encrypted configuration strings, hidden inside compressed payloads. The malware uses four layers of obfuscation: Unicode variable manipulation, LZString compression, Base-91 encoding, and AES encryption. The server location isn't hardcoded anywhere visible. The Backdoor Here's where it gets particularly nasty. WhatsApp uses pairing codes to link new devices to accounts. You request a code, WhatsApp generates a random 8-character string, you enter it on your new device, and the devices link together. The malware hijacks this process with a hardcoded pairing code. The code is encrypted with AES and hidden in the package: This means the threat actor has a key to your WhatsApp account. When you use this library to authenticate, you're not just linking your application - you're also...

Preview: ~500 words