A malicious NPM package named ‘Lotusbail’ masquerades as a WhatsApp Web API library and steals user credentials and data. It supports message sending, intercepts all communications, and grants persistent access to attackers, posing a significant security threat. #Lotusbail #NPMmalware
Keypoints
- The ‘Lotusbail’ package is a fork of the legitimate ‘Baileys’ library and has been available for six months.
- It captures all WhatsApp messages, contacts, media files, and authentication tokens via a wrapper around the WebSocket client.
- The package encrypts collected data with a custom RSA implementation before exfiltration to evade detection.
- Attackers hijack WhatsApp’s device pairing process to maintain long-term access to victims’ accounts.
- Removing the malicious package alone does not revoke access; users must manually unlink devices in WhatsApp settings.
Read More: https://www.securityweek.com/npm-package-with-56000-downloads-steals-whatsapp-credentials-data/