"Under the cover of a functional tool, the malware "steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor's server," Koi Security researcher Tuval Admoni said in a report published over the weekend. Specifically, it's equipped to capture authentication tokens and session keys, message history, contact lists with phone numbers, as well as media files and documents."
"This is accomplished by means of a malicious WebSocket wrapper through which authentication information and messages are routed, thereby allowing it to capture credentials and chats. The stolen data is transmitted to an attacker-controlled URL in encrypted form. The attack doesn't stop there, for the package also harbors covert functionality to create persistent access to the victim's WhatsApp account by hijacking the device linking process by using a hard-coded pairing code."
A malicious npm package named lotusbail offers a functional WhatsApp API while exfiltrating sensitive account data and establishing persistent access. The package was uploaded in May 2025 by a user named seiren_primrose and has been downloaded over 56,000 times, including 711 downloads in the last week, and remains available. The library captures authentication tokens, session keys, message history, contact lists with phone numbers, media files, and documents. The malware uses a malicious WebSocket wrapper inspired by @whiskeysockets/baileys to route and capture authentication information and messages, then sends encrypted data to an attacker-controlled URL. The package also hijacks the device linking process using a hard-coded pairing code to link the attacker's device and maintain persistent, unnoticed access to victims' WhatsApp accounts.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]