Poisoned WhatsApp API package steals messages and accounts
Summary
A malicious npm package called lotusbail, downloaded over 56,000 times and active for about six months, posed as a WhatsApp Web API library. Security researchers at Koi Security found it to be a working fork of the legitimate @whiskeysockets/baileys library that actually sends and receives WhatsApp messages — while silently duplicating authentication tokens, messages, contacts and media and exfiltrating them to an attacker-controlled server.
The package wraps WhatsApp communications via a WebSocket layer so it can intercept credentials and message traffic. It uses a custom RSA implementation and multiple obfuscation layers (Unicode tricks, LZString compression, Base91 encoding and AES) to hide exfiltration, and it can backdoor accounts by pairing an attacker device to the victim’s WhatsApp via the device pairing process, allowing persistent access even after the malicious npm package is removed.
Key Points
- lotusbail is a malicious npm package masquerading as a WhatsApp Web API library and has 56,000+ downloads.
- It is a functional fork of the Baileys library and therefore appears legitimate to developers and projects that include it.
- The package intercepts WebSocket traffic to capture authentication tokens, messages, contact lists and media for exfiltration.
- Data exfiltration is hidden behind custom RSA and layers of obfuscation (Unicode manipulation, LZString, Base-91, AES).
- Attackers can pair their device to victims’ WhatsApp accounts via the device-pairing flow, maintaining access even after uninstalling the package.
- This incident highlights escalating npm supply-chain risks following other token-farming and secret-stealing campaigns across the registry.
- Practical mitigations include revoking WhatsApp sessions, rotating credentials, auditing dependencies and avoiding untrusted forks of popular libraries.
Content summary
Koi Security’s analysis reveals that lotusbail isn’t just fake glue code — it functions as a real WhatsApp API so developers are more likely to install and use it. Because the malicious code routes all WhatsApp traffic through its wrapper, it duplicates authentication tokens and every message or file passing through the API, then encrypts and obfuscates that data for stealthy exfiltration to attacker servers. Critically, the threat doesn’t end with package removal: the attack uses WhatsApp’s device pairing to add the attacker’s device to the victim’s account, enabling ongoing access.
The story sits in a pattern of increasingly dangerous npm supply-chain attacks — from token-farming botnets to credential and secret-stealing libraries — that make dependency hygiene and runtime monitoring essential for any org relying on open-source packages.
Context and relevance
This is an important supply-chain warning for developers and security teams. Many projects import convenience wrappers and forks of popular libraries without thorough vetting; lotusbail demonstrates how a working, attractive API can be weaponised to harvest secrets and persist access. The incident underlines the need for stronger registry policing, dependency scanning and runtime checks for unusual network activity or unexpected device pairings.
Why should I read this?
Because if you use WhatsApp libraries, or pull in unvetted npm packages at work or in side projects, this one will scare you — it actually works and quietly rips out tokens, messages and account access. Skip the panic and read the bit about device pairing and revoking sessions; that’ll help you fix the mess faster.
Author style
Punchy: this isn’t academic — it’s active malware that looks legit. If you manage dependencies or user messaging flows, take the details seriously and action the recommended checks now.