{"id":6311,"date":"2025-12-23T11:35:48","date_gmt":"2025-12-23T11:35:48","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6311"},"modified":"2025-12-23T11:35:48","modified_gmt":"2025-12-23T11:35:48","slug":"whatsapp-api-worked-exactly-as-promised-and-stole-everything","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6311","title":{"rendered":"WhatsApp API worked exactly as promised, and stole everything"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Security researchers have uncovered a malicious npm package that poses as a legitimate WhatsApp Web API library while quietly stealing messages, credentials, and contact data from developer environments.<\/p>\n<p>The package, identified as \u201clotusbail,\u201d operates as a trojanized wrapper around a genuine WhatsApp client library and had accumulated more than 50k downloads by the time it was flagged by Koi Security.<\/p>\n<p>\u201cWith over 56000 downloads and functional code that actually works as advertised, it is the kind of dependency developers install without a second thought,\u201d Koi researchers said in a blog <a href=\"https:\/\/www.koi.ai\/blog\/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages\" target=\"_blank\" rel=\"noopener\">post<\/a>. \u201cThe package has been available on npm for 6 months and is still live at the time of writing.\u201d<\/p>\n<p>Stolen data was encrypted and exfiltrated to attacker-controlled infrastructure, reducing the likelihood of detection by network monitoring tools. Even more concerning for enterprises is the fact that Lotusbail abuses WhatsApp\u2019s multi-device pairing to maintain persistence on compromised accounts even after the package is removed.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Legitimate API uses a proxy for threat<\/h2>\n<p>According to the researchers, lotusbail initially didn\u2019t appear to be anything more than a helpful fork of the legitimate \u201c@whiskeysockets\/baileys\u201d library used for interacting with WhatsApp via WebSockets. Developers could install it, send messages, receive messages, and never notice anything wrong.<\/p>\n<p>Further probing, however, revealed an issue.<\/p>\n<p>The package wrapped the legitimate WhatsApp WebSocket client in a malicious proxy layer that transparently duplicated every operation, including the ones involving sensitive data. During authentication, the wrapper captured session tokens and keys. Every message flowing through the application was intercepted, logged, and prepared for covert transmission to attacker-controlled infrastructure.<\/p>\n<p>Additionally, the stolen information was protected en route. Rather than sending credentials and messages in plaintext, the malware employs a custom <a href=\"https:\/\/www.csoonline.com\/article\/3995036\/breaking-rsa-encryption-just-got-20x-easier-for-quantum-computers.html\">RSA encryption<\/a> layer and multiple obfuscation strategies, making detection by network monitoring tools harder and allowing exfiltration to proceed under the radar.<\/p>\n<p>\u201cThe exfiltration server URL is buried in encrypted configuration strings, hidden inside compressed payloads,\u201d the researchers noted. \u201cThe malware uses four layers of obfuscation: Unicode variable manipulation, LZString compression, Base-91 encoding, and AES encryption. The server location isn\u2019t hardcoded anywhere visible.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Backdoor sticks around even after package removal<\/h2>\n<p>Koi said the most significant component of the attack was its persistence. WhatsApp allows users to link multiple devices to a single account through a pairing process involving an 8-character code. The malicious lotusbail package hijacked this mechanism by embedding a hardcoded pairing code that effectively added the attacker\u2019s device as a trusted endpoint on the user\u2019s WhatsApp account.<\/p>\n<p>Even if developers or organizations later uninstalled the package, the attacker\u2019s linked device remained connected. This allowed the attack to persist until the WhatsApp user manually unlinked all devices from the settings panel.<\/p>\n<p>Persistent access allows the attackers to continue reading messages, harvesting contacts, sending messages on behalf of victims, and downloading media long after the initial exposure.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>What must developers and defenders do?<\/h2>\n<p>Koi disclosure noted that traditional safeguards, based on reputation metrics, metadata checks, or static scanning, fail when malicious logic mimics legitimate behavior.<\/p>\n<p>\u201cThe malware hides in the gap between \u2018this code works\u2019 and \u2018this code does only what it claims\u2019,\u201d the researchers said, adding that such supply-chain threats require monitoring package behavior at runtime rather than relying on static checks alone. They recommended looking for (or relying on tools that can) warning signs, such as custom RSA encryption routines and dozens of embedded anti-debugging mechanisms in the malicious code.<\/p>\n<p>The package remains available on npm, with its most recent <a href=\"https:\/\/www.npmjs.com\/package\/lotusbail?activeTab=versions\" target=\"_blank\" rel=\"noopener\">update<\/a> published just five days ago. GitHub, which has owned npm since 2020, did not immediately respond to CSO\u2019s request for comment.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Security researchers have uncovered a malicious npm package that poses as a legitimate WhatsApp Web API library while quietly stealing messages, credentials, and contact data from developer environments. The package, identified as \u201clotusbail,\u201d operates as a trojanized wrapper around a genuine WhatsApp client library and had accumulated more than 50k downloads by the time it [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6312,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6311","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6311"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6311"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6311\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6312"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}