Beware: Malicious NPM Package Steals WhatsApp Accounts and Messages

Kawish Hussain

December 24, 2025

6 views

Over 56,000 developers unknowingly downloaded a trojanized WhatsApp API library masquerading as Baileys. This malicious npm package intercepts messages, steals authentication tokens, and grants attackers persistent account access through device pairing, and it's been flying under the radar for six months.

The Threat

A trojanized npm package has been silently compromising WhatsApp accounts for at least six months. Named lotusbail, this malicious library masquerades as a legitimate WhatsApp Web API and has racked up over 56,000 downloads before being discovered by Koi Security researchers. If you've installed it, your WhatsApp account and everyone in your contact list could be at risk.

What Exactly Does It Do?

The lotusbail package is a fork of the popular WhiskeySockets Baileys project, so it functions normally while simultaneously working as a backdoor. Here's what we're dealing with:

The malware captures WhatsApp authentication tokens and session keys, intercepts and records every incoming and outgoing message, and exfiltrates your contact lists, media files, and documents. It also links the attacker's device to your WhatsApp account through the device pairing process, which means they get permanent access even after you remove the package. The only way to stop them is by manually unlinking devices from WhatsApp settings.

How Does It Stay Hidden?

The package uses some clever obfuscation techniques to avoid detection. There are 27 infinite loop traps designed to confuse debuggers and code analysis tools. Custom RSA encryption wraps the stolen data. Unicode tricks and LZString compression obscure the malicious code. Multiple layers of AES encryption happen before data exfiltration.

Essentially, the malware sits in the middle of your WebSocket communication with WhatsApp, intercepting credentials at authentication and recording messages as they flow through.

The Supply Chain Problem

This is a classic supply chain attack. The package provides real functionality (stolen from Baileys), so it might pass cursory inspection. Developers grab it for a legitimate use case, it works fine, and silently betrays them in the background. That's the scary part.

What You Need to Do Right Now

Search your projects for lotusbail dependency. Remove it from your package.json and reinstall clean dependencies. Run npm audit to check for related malicious packages. Check your WhatsApp account settings and review linked devices. Consider rotating any credentials that may have been exposed.

For your team, review any git commits that reference this package. Check server logs for unexpected outbound connections around authentication flows. Consider this a potential security incident and audit affected accounts.

The Lesson: Static Analysis Isn't Enough

The researchers at Koi Security emphasize something crucial: you can't just read the source code and call it safe. You need to monitor runtime behavior. Watch for unexpected network connections, unusual activity during authentication, and suspicious patterns in new dependencies.

This is why dependency pinning matters. Security audits matter. Runtime monitoring matters. Not every fork of popular projects is trustworthy.

Best Practices Going Forward

Vet your dependencies ruthlessly. Check the maintainer, review the GitHub activity, verify recent updates make sense. Use lock files (package-lock.json or yarn.lock) and commit them. Set up dependency scanning in your CI/CD pipeline. Monitor for security advisories.

Be skeptical of forks unless you know exactly why they exist and who maintains them. Test new dependencies in isolation before deploying to production.

The npm ecosystem is powerful precisely because it's open. But that openness requires vigilance from all of us.