Beware: Malicious NPM Package Steals WhatsApp Accounts and Messages
Kawish Hussain
December 24, 2025
175 views
Over 56,000 developers unknowingly downloaded a trojanized WhatsApp API library masquerading as Baileys. This malicious npm package intercepts messages, steals authentication tokens, and grants attackers persistent account access through device pairing, and it's been flying under the radar for six months.
The Threat
A trojanized npm package has been silently compromising WhatsApp accounts for at least six months. Named lotusbail, this malicious library masquerades as a legitimate WhatsApp Web API and has racked up over 56,000 downloads before being discovered by Koi Security researchers. If you've installed it, your WhatsApp account and everyone in your contact list could be at risk.
What Exactly Does It Do?
The lotusbail package is a fork of the popular WhiskeySockets Baileys project, so it functions normally while simultaneously working as a backdoor. Here's what we're dealing with:
The malware captures WhatsApp authentication tokens and session keys, intercepts and records every incoming and outgoing message, and exfiltrates your contact lists, media files, and documents. It also links the attacker's device to your WhatsApp account through the device pairing process, which means they get permanent access even after you remove the package. The only way to stop them is by manually unlinking devices from WhatsApp settings.