A malicious npm package named “lotusbail” has been discovered actively stealing user data, including sensitive WhatsApp messages, from potentially tens of thousands of developers worldwide. The rogue package, masquerading as a legitimate API library for WhatsApp Web integration, has seen over 56,000 downloads since its introduction to the npm registry.
This sophisticated campaign poses a significant threat due to the malware’s ability to function as advertised, providing real WhatsApp messaging capabilities while covertly exfiltrating critical information. Security researchers at Koi identified the threat after observing anomalous behavior during runtime analysis, uncovering the extent of the data theft and the attacker’s persistent access methods.
Malicious NPM Package Compromises Developer Security
The “lotusbail” package is designed to deceive developers by presenting itself as a fork of the well-regarded “@whiskeysockets/baileys” library. This mimicry allows it to bypass typical code review processes, as it appears to offer the expected functionality for developers needing to integrate with WhatsApp. Its deceptive nature means that once installed and deployed into production systems, the underlying malware operates undetected.
For six months, “lotusbail” has remained available on npm, silently collecting a wide array of sensitive user information. This includes authentication tokens, comprehensive message histories, complete contact lists with phone numbers, and various media files shared through WhatsApp. Furthermore, the malware establishes persistent backdoor access, allowing attackers continued control over compromised WhatsApp accounts even after the initial package might be removed.
Data Exfiltration and Evasion Techniques
The stolen data is not transmitted in cleartext; instead, “lotusbail” employs a custom RSA encryption system to obscure the exfiltrated information before sending it to the attacker-controlled server. This is a critical indicator of malicious intent, as legitimate WhatsApp libraries rely on WhatsApp’s built-in end-to-end encryption. The custom encryption layer serves solely to mask the theft from network monitoring tools.
The attackers have implemented multi-layered obfuscation to conceal the exfiltration server address. This includes Unicode variable manipulation, LZString compression, Base-91 encoding, and AES encryption, making it extremely difficult to trace the origin or destination of the stolen data. Additionally, the malware hijacks WhatsApp’s device pairing mechanism using a hardcoded, AES-encrypted pairing code. This allows the attacker to link their own device to victim accounts, granting them full access.
To further evade detection by security researchers and automated analysis tools, the “lotusbail” package incorporates 27 infinite loop traps. These traps are designed to activate when debugging tools are detected, significantly complicating efforts to analyze the malware’s behavior and understand its full capabilities.
The discovery of “lotusbail” underscores the persistent threats within the software supply chain and the need for heightened vigilance when incorporating third-party code into development projects. Developers are strongly advised to review their installed dependencies and remove the “lotusbail” package immediately if it has been utilized. Further investigation into the full extent of the breach and the exact commands executed by the backdoor is ongoing. The npm security team has been alerted and is expected to take action to remove the malicious package and potentially strengthen their review processes to prevent similar occurrences in the future.