Cybersecurity researchers have uncovered a malicious npm package called lotusbail that poses as a legitimate WhatsApp API library. While the package provides functional code for developers, it secretly intercepts messages, steals credentials, and establishes a persistent backdoor into victims' WhatsApp accounts.
How Lotusbail Operates
The package, uploaded in May 2025 by a user named "seiren_primrose," has gained trust through more than 56,000 downloads. Researchers from Koi Security found that it is a malicious fork of the legitimate Baileys library. Because the code actually works, it often bypasses static analysis and developer scrutiny.
Once integrated into an application, the malware performs several invasive actions:
- Message Interception: It uses a malicious WebSocket wrapper to capture every sent and received message, including media files and documents.
- Credential Theft: It siphons authentication tokens and session keys as soon as a user logs in.
- Persistent Hijacking: The most dangerous feature is its abuse of the WhatsApp device-linking process. It uses a hard-coded pairing code to silently link the attacker’s device to the victim's account.
Crucially, uninstalling the npm package does not remove the threat. The attacker’s device remains linked to the WhatsApp account until the victim manually unlinks it through the app's "Linked Devices" settings.
Malicious NuGet Packages Target Crypto
In a simultaneous discovery, ReversingLabs identified 14 malicious NuGet packages designed to steal cryptocurrency. This campaign, active since July 2025, primarily targets the .NET ecosystem by impersonating popular tools like Nethereum.
The attackers used several deceptive tactics to build a false sense of security:
- Homoglyph Tricks: Using lookalike characters (e.g., a Cyrillic "e") to mimic legitimate package names.
- Inflated Metrics: Artificially boosting download counts to make the packages appear popular and trustworthy.
- Active Maintenance: Releasing frequent updates to simulate a healthy, well-maintained project.
These packages are designed to exfiltrate private keys and seed phrases or redirect transaction funds to attacker-controlled wallets when transfers exceed $100. One specific package, GoogleAds.API, was also found stealing OAuth tokens, which could allow attackers to hijack advertising accounts and spend unlimited funds.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
