Malicious NPM Package Steals WhatsApp Data: Lotusbail Exposed

A dangerous new threat has emerged in the Node Package Manager (NPM) registry, posing as a legitimate WhatsApp Web API library. This malicious package, known as lotusbail, is a fork of the popular WhiskeySockets Baileys project. Disguised as a useful tool, the package has been actively stealing sensitive data from WhatsApp accounts, including messages, contacts, and authentication tokens. Since its publication, it has accumulated over 56,000 downloads, potentially compromising many developers and their users.

The lotusbail package, which has been available for at least six months, offers the same functionality as a genuine WebSocket client for WhatsApp, but with a sinister twist. Researchers at Koi Security, a supply-chain security company, uncovered the malicious behavior hidden within this package. It allows cybercriminals to intercept and record WhatsApp messages, steal session keys, access contacts and media files, and exfiltrate them. This package not only steals sensitive data but also links the attacker’s device to the victim’s WhatsApp account, providing persistent access even after the malicious package is removed.

What Undercode Say:

The lotusbail incident highlights a severe security vulnerability in the software supply chain, particularly in widely used package managers like NPM. This attack underscores the need for developers to exercise extreme caution when integrating third-party libraries into their projects. The ease with which this malicious package was able to bypass scrutiny for months raises questions about the effectiveness of existing security protocols and verification methods in package repositories.

In this case, the malicious package masked itself as a legitimate tool, leveraging the trusted nature of open-source software. By incorporating features like RSA encryption and multiple layers of obfuscation, the malware ensured that its activities remained undetected by typical code audits. Moreover, its ability to silently link an attacker’s device to a victim’s WhatsApp account demonstrates a high level of sophistication in exploiting unsuspecting users’ trust.

The use of 27 infinite loop traps to hinder debugging further complicates efforts to identify and remove this malicious code. This tactic, along with the manipulation of authentication flows, is an excellent example of how attackers are leveraging advanced techniques to maintain persistence and make detection harder. The lotusbail package serves as a cautionary tale about the importance of runtime analysis, not just source code inspection, when evaluating the safety of third-party dependencies.

Developers who unknowingly integrated this package into their applications are advised to take immediate action by removing it from their systems and reviewing their WhatsApp account for any suspicious linked devices. Monitoring runtime behavior for unexpected outbound connections is crucial for identifying other potential threats.

Fact Checker Results:

✅ The lotusbail package does indeed exist and has been available on NPM for over six months, accumulating more than 56,000 downloads.

✅ The malicious package can intercept WhatsApp messages and steal authentication tokens, session keys, contacts, and media.

❌ Runtime analysis is often overlooked by developers, which contributed to the prolonged undetected presence of the malware.

Prediction:

As the attack methods used by the lotusbail package become more widely known, developers will likely increase their vigilance when evaluating third-party libraries. The use of obfuscation techniques and the introduction of persistent access strategies will likely inspire more sophisticated malware in the future. However, the ongoing focus on improving runtime behavior monitoring in security protocols could significantly reduce the effectiveness of such threats. Developers and security professionals alike will need to stay ahead of these evolving tactics to protect sensitive data and maintain trust in the open-source ecosystem.