- The malicious NPM package lotusbail hijacks WhatsApp accounts, stealing tokens, messages and contacts
- The attackers link their device via a WhatsApp connection, maintaining the connection even after the package is removed.
- Before opening, the package was downloaded more than 56,000 times; developers are urged to carefully check their sources
Node Package Manager (NPM) registry users are being attacked by malware that is hijacking them whatsapp accounts, steals messages and contact lists, experts warn.
Cybersecurity Researchers Koi Security recently discovered a fork of Baileys' popular WhiskeySockets project, an open-source TypeScript/JavaScript library that provides a WebSocket-based API for interacting with the WhatsApp web protocol, allowing developers to programmatically connect to WhatsApp as a companion device.
A malicious fork called “lotusbail” has all the same features as the legitimate project, but it also steals WhatsApp authentication tokens and session keys. Moreover, it intercepts and records all messages, transfers contacts, media files and all other documents to a third-party server.
Take control of WhatsApp accounts
“The package includes a legitimate WebSocket client that interacts with WhatsApp. Every message passing through your application first passes through the malware socket shell,” the Koi Security report states.
“When you authenticate, the shell captures your credentials. When messages arrive, she intercepts them. When you send messages, she records them.”
But perhaps most alarmingly, the package links the attacker's device to the victim's WhatsApp account through the app's pairing feature. This means that even if the victim removes the malicious NPM package, their WhatsApp account will remain compromised until the link is manually disabled.
The malware was on npm for at least six months and during that time it was downloaded more than 56,000 times.
NPM is one of the world's most popular public online registries, hosting JavaScript packages published through npm. It allows developers to find, download and manage open source and private packages used in Node.js and JavaScript projects.
Thus, it is constantly exposed to all sorts of scams and hacker attacks, from forked projects to typos. For security reasons, developers are advised to be especially careful when downloading and running anything, even projects with thousands of downloads.
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
