Poisoned WhatsApp API package steals messages and accounts

A malicious npm package with more than 56,000 downloads masquerades as a working WhatsApp Web API library, and then it steals messages, harvests credentials and contacts, and hijacks users' WhatsApp accounts.

According to Koi Security, the lotusbail npm package has been available for download for six months, and it's especially dangerous because the code works.

"This one actually functions as a WhatsApp API," Koi Security researcher Tuval Admoni said in a Sunday blog. "It's based on the legitimate Baileys library and provides real, working functionality for sending and receiving WhatsApp messages."

In addition to working as advertised, the secret-stealing library, which is a fork of the legitimate @whiskeysockets/baileys package, uses WebSocket to communicate with WhatsApp.

However, this means that every WhatsApp communication passes through the socket wrapper, allowing it to capture your credentials when you log in and intercept messages as they are sent and received ...