npm Data Leak: Fake WhatsApp API Package Steals SMS, Contacts, & Login Tokens
npm Data Leak: Fake WhatsApp API Package Steals SMS, Contacts, & Login Tokens
“Recently, fake WhatsApp API packages are stealing messages, contact details, and login tokens from the npm registry.”
A new malicious package that functions as a fully working WhatsApp API and has the potential to intercept every message and connect the attacker’s device to a victim’s WhatsApp account has been revealed by cybersecurity researchers on the npm repository.
Since a person by the name of “seiren_primrose” published the package, “lotusbail,” to the registry in May 2025, it has been downloaded more than 56,000 times. Over the past week, 711 downloads of these have occurred. As of this writing, the library can still be downloaded.
Tuval Admoni, Koi Security researcher, Report
| The malware, which poses as a useful utility, “steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor’s server.”
“You link the threat actor’s device in addition to your application when you use this library for authentication.”
“You are unaware that they have full, ongoing access to your WhatsApp account.” |
In particular, it can record media files and documents, message histories, contact lists with phone numbers, authentication tokens, and session keys. More importantly, @whiskeysockets/baileys, a valid WebSockets-based TypeScript library for communicating with the WhatsApp Web API, served as the model for the library.
This is achieved by using a malicious WebSocket wrapper that routes messages and authentication data, enabling it to record credentials and conversations. The stolen information is sent in encrypted form to a URL within the attacker’s control.
The attack doesn’t end there because the program also has secret features that allow it to take over the device linking process and use a hard-coded pairing code to gain persistent access to the victim’s WhatsApp account.
Because the threat actor’s device stays connected to the WhatsApp account until it is unlinked by going to the app’s settings, linking their device to the target’s WhatsApp not only permits ongoing access to their contacts and conversations but also permits persistent access even after the package is removed from the system.
Idan Dardikman, Koi Security, The Hacker News
| When the developer connects to WhatsApp using the library, harmful behavior is initiated.
“Once you authenticate and begin sending and receiving messages, the interception begins because the virus wraps the WebSocket client.”
“Other than using the API normally, no special function is required. The attacker’s device is connected as soon as you connect your app to WhatsApp, since the backdoor pairing code also activates during the authentication process.”
Additionally, “lotusbail” has anti-debugging features that, when debugging tools are identified, cause it to enter an infinite loop trap and freeze execution. |
Koi Security
| “Attacks on supply chains are becoming more frequent rather than less frequent.”
“This is not detected by traditional security. Static analysis recognizes and validates functional WhatsApp code. You can trust reputation systems, which have received 56,000 downloads. The space between “this code works” and “this code only does what it claims” is where the malware hides.” |
The Crypto Ecosystem Is the Target of Malevolent NuGet Packages
The revelation coincides with ReversingLabs disclosing information about 14 malicious NuGet packages that pose as Nethereum, a.NET integration library for the Ethereum decentralized blockchain, and other cryptocurrency-related tools in order to exfiltrate private keys and seed phrases or reroute transaction funds to attacker-controlled wallets when the transfer amount exceeds $100.
Below is a list of the package names that were released from eight distinct accounts:
- csharp
- bitcoincore
- net
- net.api
- api
- unified
- nethereumnet
- nethereumunified
- netherеum. all
- solananet
- solnetall
- net
- solnetplus
- solnetunified
In order to give users the appearance that security is being constantly maintained, the packages have used a number of strategies, such as inflating download counts and releasing dozens of new versions quickly. The campaign began in July of 2025.
The harmful functionality is introduced so that it only activates when developers install the packages and certain features are integrated into other programs. Among the packages, GoogleAds.API stands out since it concentrates on stealing Google Ads OAuth data rather than exfiltrating wallet data secrets.
ReversingLabs
| “Because they enable complete programmatic access to a Google Ads account, these values are extremely sensitive. If they are compromised, attackers could pretend to be the victim’s advertising client, read all campaign and performance data, create or alter ads, and even spend an infinite amount of money on a fraudulent or malicious campaign.” |
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
100+ Cisco Secure Email Devices are Vulnerable to Zero-Day Exploitation
About Author
English