← Back to articles

Malicious NPM Package Masquerading as WhatsApp Web API Steals Data and Hijacks Accounts

December 31, 2025

==========================================================

A malicious npm package with over 56,000 downloads is masquerading as a legitimate WhatsApp Web API library, but it secretly steals messages, harvests credentials and contacts, and hijacks user accounts.

The Deception Behind the Package

According to Koi Security, the package named lotusbail has been available for download for the past six months. Its danger lies in its ability to function as a real WhatsApp API.

"This one actually functions as a WhatsApp API," explained Koi Security researcher Tuval Admoni in a Sunday blog. "It's based on the legitimate Baileys library and provides real, working functionality for sending and receiving WhatsApp messages."

How the Malware Works

The package, a fork of the legitimate @whiskeysockets/baileys, uses WebSocket communication to interact with WhatsApp. This setup allows the malware to intercept all data passing through the connection:

  • Credentials during login
  • Sent and received messages
  • Contact lists and media files

Admoni highlights,

"All your WhatsApp authentication tokens, every message sent or received, complete contact lists, media files - everything that passes through the API gets duplicated and prepared for exfiltration."

Advanced Data Exfiltration Techniques

To conceal its activities, the malware employs multiple layers of obfuscation and encryption:

  • Utilizes a custom RSA encryption
  • Applies Unicode manipulation
  • Compresses data with LZString
  • Encodes with Base-91
  • Secures with AES encryption before transmission

The stolen data is sent to attacker-controlled servers, ensuring long-term access to compromised accounts.

Persistence via Device Pairing

Beyond data theft, the malware backdoors the user's WhatsApp account through the device pairing process, linking the attacker's device to the victim's account. This persistent connection remains even after the malicious package is uninstalled, allowing ongoing access.

Growing Supply Chain Risks and Cybercriminal Campaigns

This incident exemplifies the increasing risks in the npm supply chain, including campaigns that spread token-farming malware across hundreds of thousands of packages. Previously, similar campaigns targeted cryptocurrencies, credentials, and secret data, flooding the registry with spammy packages.

In an interview with The Register, Tim Lewis, CEO of the co-founder company Tea, discussed these threats:

"I view this as a canary in the coal mine. When you are a destructive organization ... there's incentive to use this same technique to attack supply chains. So we need to fix the core."

Conclusion

The prevalence of such malicious packages underscores the urgent need for improved security measures within software supply chains to prevent widespread exploitation and data breaches.

WhatsApp Web API malware