Weaponized npm Packages Target WhatsApp Developers with Remote Kill Switch

Socket’s Threat Research Team has uncovered a sophisticated supply chain attack targeting developers integrating with the WhatsApp Business API.

Two malicious npm packages, naya-flore and nvlore-hsc, published by the npm user nayflore using the email idzzcch@gmail.com, disguise themselves as legitimate WhatsApp socket libraries.

These packages exploit the growing ecosystem of third-party tools for WhatsApp automation, which has surged alongside the platform’s adoption by over 200 million businesses worldwide.

Developers often rely on libraries like whatsapp-web.js and baileys for building chatbots and messaging integrations, making these malicious alternatives particularly deceptive.

With over 1,110 downloads in a month, the packages remain active on the npm registry despite takedown requests submitted to the npm security team.

The attack vector leverages a remote-controlled destruction mechanism triggered by phone number verification, representing an escalation from typical data theft to outright system sabotage.

According to the ...