Full Report
And it's especially dangerous because the code works A malicious npm package with more than 56,000 downloads masquerades as a working WhatsApp Web API library, and then it steals messages, harvests credentials and contacts, and hijacks users' WhatsApp accounts.…
Analysis Summary
# Tool/Technique: lotusbail npm package
## Overview
A malicious npm package named `lotusbail` that masquerades as a working WhatsApp Web API library. It is a fork of the legitimate `@whiskeysockets/baileys` library and provides functional APIs for sending and receiving WhatsApp messages while simultaneously exfiltrating sensitive data.
## Technical Details
- Type: Malware (Supply Chain Compromise - Malicious Library)
- Platform: JavaScript/Node.js (via npm ecosystem)
- Capabilities: Interception of WhatsApp communications, credential harvesting, contact list theft, message exfiltration, account hijacking via device linking.
- First Seen: Available for six months prior to the report date (Mon 22 Dec 2025).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Supply Chain
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0006 - Credential Access
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Web Browsers (Implied, as authentication tokens are targeted)
- TA0007 - Discovery
- T1087 - Account Discovery (Discovery of linked contacts/users)
- TA0011 - Persistence
- T1554 - Compromise Software Supply Chain (Persistence mechanism through device linking)
## Functionality
### Core Capabilities
- Functions as a legitimate WhatsApp API library, offering real message sending and receiving capabilities (based on the legitimate Baileys library).
- Uses WebSocket communication to monitor all traffic passing through its socket wrapper.
- Captures user credentials upon login to the WhatsApp API wrapper.
- Intercepts all messages sent and received by the user.
### Advanced Features
- Data Harvesting: Duplicates and prepares for exfiltration:
- WhatsApp authentication tokens.
- Every message sent or received.
- Complete contact lists.
- Media files.
- Evasion/Obfuscation: Employs four layers of defense before exfiltration:
1. Custom RSA implementation for data encryption.
2. Unicode manipulation.
3. LZString compression.
4. Base-91 encoding.
5. AES encryption.
- Account Hijacking/Persistence: Backdoors the user's WhatsApp account by linking the attacker's device during the chat app's device pairing process. This linkage persists even after the malicious package is uninstalled.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: `lotusbail` (npm package name)
- Registry Keys: [Not applicable for npm package initial execution, focus is on software behavior]
- Network Indicators: Attacker-controlled server (C2 address not specified/defanged). Malicious communication utilizes WebSocket protocols.
- Behavioral Indicators: Installation of a package masquerading as a legitimate API (`@whiskeysockets/baileys` fork). Data being encrypted using RSA/AES and compressed/encoded (LZString, Base-91) prior to network egress. Successful device linking to an unauthorized external device ID associated with WhatsApp.
## Associated Threat Actors
- The article does not attribute this specific package to a named threat actor group but frames it as part of a broader trend illustrating supply chain risk, similar to incidents linked to "Tea token farming campaigns."
## Detection Methods
- Signature-based detection: Signatures targeting the specific file content or structure of the `lotusbail` package manifest/code.
- Behavioral detection: Monitoring for the execution of node packages that attempt to capture authentication tokens, enumerate contacts, or initiate sophisticated multi-layered encryption/exfiltration routines. Specifically detecting post-installation behavior that links the user's WhatsApp account to an external, unverified device.
- YARA rules: Rules could be developed targeting the unique combination of RSA implementation, LZString/Base-91 encoding, and embedded WhatsApp message interception logic.
## Mitigation Strategies
- Prevention measures: Scrutinizing dependencies, especially those claiming to offer proprietary access via popular platforms (like WhatsApp API). Using supply chain security validation tools to check package reputation and history before installation.
- Hardening recommendations: Limiting the scope of permissions granted to development dependencies. Regularly auditing installed npm packages and monitoring user applications for unexpected device linking activity.
## Related Tools/Techniques
- Legitimate library used for camouflage: `@whiskeysockets/baileys`
- General Technique: Software Supply Chain Compromise, Malicious Library Injection.
- Related Events Mentioned: Token farming campaigns utilizing compromised npm libraries.