Security researchers have uncovered a dangerous npm package that disguises itself as a legitimate WhatsApp Web API library. It’s designed to secretly steal messages, login credentials, and contact information from developers’ environments. The package, called “lotusbail,” looks like a normal dependency but hides malicious code that can cause serious security issues.

How the Malicious Package Works

Initially, lotusbail seemed like a helpful fork of a popular WhatsApp library used by developers to send and receive messages through WebSockets. It had over 56,000 downloads and appeared to function as promised. Many developers installed it without suspecting anything was wrong. However, deeper investigation revealed that it wrapped a legitimate WhatsApp WebSocket client in a malicious proxy layer.

This proxy intercepted all operations, including those involving sensitive data like session tokens and encryption keys. It duplicated every message and login activity without the user’s knowledge. When a user authenticated, lotusbail captured session details, which allowed attackers to access WhatsApp accounts remotely. All intercepted messages and credentials were encrypted and secretly transmitted to attacker-controlled servers, making detection difficult.

Advanced Obfuscation and Data Exfiltration

The malware used multiple layers of obfuscation to hide its activities. Data sent to the attacker’s server was encrypted with a custom RSA layer and compressed using techniques like Unicode manipulation, Base-91 encoding, and AES encryption. These measures made it almost impossible for network monitoring tools to detect the exfiltration of sensitive data in real time. The server URL was buried in encrypted strings, adding another layer of concealment.

Another alarming feature was how the package maintained persistence even after uninstallation. WhatsApp allows users to link multiple devices to a single account through a pairing process involving an 8-character code. Lotusbail hijacked this process by embedding a hardcoded pairing code, effectively adding the attacker’s device as a trusted endpoint. This meant that even if the package was removed, the attacker’s device remained linked to the compromised WhatsApp account.

Implications for Developers and Enterprises

This attack highlights the risks of relying on third-party dependencies, especially popular ones with millions of downloads. Developers often install such packages without scrutinizing their code, making them vulnerable to malicious actors. The fact that lotusbail operated as a fully functional library only increased its appeal and spread among developers.

For organizations, this case underlines the importance of monitoring dependencies and verifying their trustworthiness. It also demonstrates how attackers can exploit legitimate features, like WhatsApp’s multi-device support, to maintain long-term access to compromised accounts. Removing the package does not necessarily remove the threat, since the attacker’s device can stay linked to the account.

Overall, this incident serves as a reminder to be cautious with third-party code and to implement security measures that can detect unusual activity. Regular code audits and network monitoring are essential to identify and prevent such sophisticated attacks before they cause damage.

Inspired by

• https://www.infoworld.com/article/4111071/whatsapp-api-worked-exactly-as-promised-and-stole-everything-2.html

Sources

• koi.ai
• csoonline.com