Full Report
Cybersecurity researchers have disclosed details of a new malicious package on the npm repository that works as a fully functional WhatsApp API, but also contains the ability to intercept every message and link the attacker's device to a victim's WhatsApp account. The package, named "lotusbail," has been downloaded over 56,000 times since it was first uploaded to the registry by a user named "
Analysis Summary
# Tool/Technique: lotusbail
## Overview
"lotusbail" is a malicious package distributed via the npm repository, masquerading as a fully functional WhatsApp API library. Its primary purpose is supply chain compromise, allowing the attacker to intercept all communications, steal sensitive WhatsApp data (credentials, contacts, session keys), and establish persistent, unauthorized access to the victim's WhatsApp account by linking the attacker's device to it.
## Technical Details
- Type: Malware/Malicious Library (Supply Chain Attack)
- Platform: JavaScript/Node.js ecosystem (npm registry)
- Capabilities: WhatsApp API emulation, data exfiltration, persistent backdoor establishment, anti-debugging measures.
- First Seen: May 2025 (Uploaded by user "seiren_primrose")
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Data is transmitted over encrypted means to an attacker-controlled URL)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Implied via anti-debugging)
- TA0003 - Persistence
- T1553.001 - Account Access (Achieved by linking the attacker's device persistent access)
- TA0001 - Initial Access
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain (Injection into a legitimate-looking package)
## Functionality
### Core Capabilities
- **Impersonation:** Functions as a working WhatsApp API by wrapping a legitimate library (@whiskeysockets/baileys).
- **Data Theft:** Captures authentication tokens, session keys, message history, contact lists (including phone numbers), media files, and documents.
- **Data Transmission:** Exfiltrates stolen data to an attacker-controlled server in an encrypted format.
### Advanced Features
- **Persistent Backdoor:** Hijacks the linking process using a hard-coded pairing code, linking the attacker’s device to the victim's WhatsApp account. This grants persistent access even after the malicious package is uninstalled.
- **Malicious Wrapper:** Intercepts activities by wrapping the legitimate WebSocket client; interception occurs automatically upon standard authentication and usage of the API.
- **Anti-Debugging:** Implements capabilities to detect debugging tools, triggering an infinite loop trap to freeze execution and prevent analysis.
## Indicators of Compromise
- File Hashes: N/A (Specific hashes not provided in the text)
- File Names: `lotusbail` (package name)
- Registry Keys: N/A
- Network Indicators: Attacker-controlled URL for encrypted data exfiltration (URL is not specified/defanged)
- Behavioral Indicators:
- Successful authentication flow linking an external device via a hard-coded pairing code.
- Transmission of configuration data, messages, and session artifacts over HTTPS/WebSockets to external destinations.
- Execution freezing upon detection of standard debugging utilities.
## Associated Threat Actors
- Unknown. The package was uploaded by user "seiren_primrose." The text notes the increasing sophistication of supply chain attacks generally.
## Detection Methods
- Signature-based detection: Traditional static analysis may approve the code as functional. Custom signatures targeting the known package name/import paths would be effective.
- Behavioral detection: Monitoring for outbound connections initiated during the authentication flow to unknown/untrusted external URLs. Detection of process hanging or infinite loops specifically when debuggers attach.
- YARA rules if available: N/A (Specific rules not provided)
## Mitigation Strategies
- **Supply Chain Verification:** Thoroughly audit third-party dependencies, especially open-source packages that require elevated system access or handle sensitive communication, even if they appear functional.
- **Source Trust:** Prefer established, well-vetted libraries over newly published, high-download-count packages unless verified by security teams.
- **Account Security:** Regularly review connected WhatsApp devices in the application settings to detect unauthorized persistent links established via the backdoor mechanism.
- **Development Environment Hardening:** Implement controls to prevent execution of packages that exhibit anti-debugging behaviors during development/local testing phases.
## Related Tools/Techniques
- **Impersonated Library:** [@whiskeysockets/baileys] (Legitimate library used for camouflage).
- **Comparison Group (Generic Supply Chain):** Malicious NuGet packages impersonating Nethereum targeting the crypto ecosystem (discussed in the latter half of the article).