- Malicious NPM lotusbail package hijacks WhatsApp accounts and steals tokens, messages and contacts
- Attackers link your device via WhatsApp pairing and persist even after package removal.
- The package had more than 56,000 downloads before it was discovered; Developers are urged to check sources carefully.
Node Package Manager (NPM) registry users are being attacked by malware that takes over their WhatsApp accounts, steals messages and contact lists, experts have warned.
Cybersecurity researchers Koi Security recently discovered a fork of the popular WhiskeySockets Baileys project, an open source TypeScript/JavaScript library that provides a WebSocket-based API to interact with the WhatsApp web protocol, allowing developers to programmatically connect to WhatsApp as an add-on device.
The malicious fork, called ‘lotusbail’, has the same functionality as the legitimate project, but also steals WhatsApp authentication tokens and session keys. Additionally, it intercepts and logs all messages, extracts contacts, media files and all other documents to a third-party server.
Take control of WhatsApp accounts
“The packet wraps the legitimate WebSocket client that communicates with WhatsApp. Every message that flows through your application first passes through the malware’s socket wrapper,” Koi Security said in its report.
“When you authenticate, the container captures your credentials. When messages arrive, it intercepts them. When you send messages, it logs them.”
But perhaps most alarming is that the package links the attacker’s device to the victim’s WhatsApp account through the app’s pairing feature. That means that even if the victim deletes the malicious NPM package, their WhatsApp account remains compromised until the link is manually disconnected.
The malware was on npm for at least half a year, and during that time it racked up more than 56,000 downloads.
NPM is one of the world’s most popular online public registries that hosts JavaScript packages published through npm. It allows developers to discover, download, and manage private and open source packages used in Node.js and JavaScript projects.
As such, it is constantly bombarded with all kinds of scams and hacking attacks, from forked projects to projects with typos. To stay safe, developers are advised to be very careful when downloading and running anything, even projects with thousands of downloads.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
