Fake WhatsApp API Package on npm Steals Messages, Contacts, and Login Tokens
Researchers have uncovered a malicious package on the npm repository that poses as a fully functional WhatsApp API.
However, the package, named “lotusbail,” has been downloaded over 56,000 times since its upload in May 2025.
Moreover, it contains the ability to intercept every message and link the attacker’s device to a victim’s WhatsApp account.
Malicious Package’s Capabilities
Under the cover of a functional tool, the malware “steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor’s server,”
Specifically, it’s equipped to capture authentication tokens and session keys, message history, contact lists with phone numbers, as well as media files and documents.
Consequently, the library is inspired by @whiskeysockets/baileys, a legitimate WebSockets-based TypeScript library for interacting with the WhatsApp Web API.
Attack Mechanism
The stolen data is transmitted to an attacker-controlled URL in encrypted form.
Meanwhile, the package also harbors covert functionality to create persistent access to the victim’s WhatsApp account by hijacking the device linking process using a hard-coded pairing code.
Therefore, the threat actor’s device gets linked the moment you connect your app to WhatsApp.
Supply Chain Attack
Supply chain attacks aren’t slowing down – they’re getting better,” Koi said.
Traditional security doesn’t catch this. Static analysis sees working WhatsApp code and approves it.
Reputation systems have seen 56,000 downloads, and trust it.
Malicious NuGet Packages
The disclosure comes as ReversingLabs shared details of 14 malicious NuGet packages that impersonate Nethereum, a .NET integration library for the Ethereum decentralized blockchain.
These packages have leveraged several techniques to lull users into a false sense of trust in security, including inflating download counts and publishing dozens of new versions in a short amount of time.
Notable among the packages is GoogleAds.API, which focuses on stealing Google Ads OAuth information instead of exfiltrating wallet data secrets.
Conclusion
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE Tweet Share Share Share SHARE cryptocurrencycybersecuritydata exfiltrationMalwareNPMNuGetOpen Sourcesupply chain attackWhatsapp
Source: Link
