A malicious npm package called “lotusbail” has been secretly stealing WhatsApp messages and user data from developers around the world.
All about lotusbail
The package has been downloaded more than 56,000 times and pretends to be a normal WhatsApp Web API library, while running hidden malware in the background.
It claims to be a fork of the trusted @whiskeysockets/baileys package, which makes it look safe and reliable to developers building WhatsApp integrations.
What makes this threat more dangerous is that the package actually works as expected. It can send and receive WhatsApp messages normally, unlike many malicious packages that quickly break or fail.
Because it functions properly, developers test it, deploy it, and trust it, without realizing that their data is being stolen silently in the background.
The malicious package stayed on npm for nearly six months and was still live when it was discovered.
During that time, it quietly stole WhatsApp session tokens, messages, contacts, and shared files, while keeping hidden access to compromised accounts.
Researchers from Koi Security uncovered the threat after noticing suspicious behavior during runtime analysis.
The malware works by intercepting the WebSocket connection to WhatsApp, allowing it to copy everything sent and received without the user knowing.
The malware encrypts stolen data using its own RSA encryption before sending it to the attacker’s server. This is suspicious because legitimate WhatsApp libraries already rely on WhatsApp’s built-in end-to-end encryption and do not need extra encryption.
The added encryption exists only to hide stolen data from security monitoring tools.
The attacker’s server address is heavily obfuscated using multiple encoding and encryption layers, making it hard to trace where the data is sent. The malware also abuses WhatsApp’s device-pairing feature, allowing attackers to link their own device to victim accounts and keep access even after the package is removed.
To avoid analysis, the package includes many anti-debugging traps that trigger when security tools are detected, making investigation difficult.
Leave A Comment