- Malicious NPM package lotusbail hijacks WhatsApp accounts, steals tokens, messages and contacts
- Attackers connect their device via WhatsApp pairing and continue even after the package is removed
- The pack had 56,000+ downloads before discovery; developers are encouraged to verify sources carefully
Node Package Manager (NPM) registry users are being targeted with malware that takes over their WhatsApp accounts, stealing messages and contact lists, experts have warned.
Cybersecurity researchers Koi Security recently discovered a fork of the popular WhiskeySockets Baileys project, an open source TypeScript/JavaScript library that provides a WebSocket-based API to interact with the WhatsApp Web protocol, letting developers programmatically connect to WhatsApp as a companion device.
The malicious fork, called ‘lotusbail’, has all the same functionality as the legitimate project, but it also steals WhatsApp authentication tokens and session keys. Moreover, it intercepts and records all messages, pulls contacts, media files and all other documents to a third-party server.
Taking over WhatsApp accounts
“The package wraps the legitimate WebSocket client that communicates with WhatsApp. Every message that flows through your application first passes through the malware’s socket wrapper,” Koi Security said in its report.
“When you authenticate, the wrapper captures your credentials. When messages arrive, it captures them. When you send messages, it captures them.”
But perhaps most alarmingly, the package connects the attacker’s device to the victim’s WhatsApp account through the app’s pairing feature. This means that even if the victim removes the malicious NPM package, their WhatsApp account will remain compromised until the link is manually broken.
The malware sat on npm for at least half a year, during which time it accumulated more than 56,000 downloads.
NPM is one of the world’s most popular public online registries that hosts JavaScript packages released via npm. It allows developers to discover, download, and manage open source and private packages used in Node.js and JavaScript projects.
As such, it is constantly bombarded with all sorts of scams and hack attacks, from forked projects to typosquatted projects. To be safe, developers are advised to be extra careful when downloading and running anything, even projects with thousands of downloads.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
