Cybersecurity researchers have uncovered a malicious npm package named “lotusbail” that masquerades as a WhatsApp API but secretly intercepts messages and links attackers to victims’ WhatsApp accounts. The package has been widely downloaded, enabling attackers to steal credentials, harvest contacts, and maintain persistent access—posing a significant threat to users. #WhatsAppSecurity #npmMalware
Keypoints
- The “lotusbail” package functions as a malicious WhatsApp API with over 56,000 downloads.
- It captures WhatsApp credentials, message history, contacts, media, and documents, then sends data to the attacker’s server.
- The malware establishes persistent access by hijacking the device linking process using a hard-coded pairing code.
- The package features anti-debugging capabilities to evade detection during analysis.
- Other malicious packages impersonate cryptocurrency library tools to steal funds and private keys in the crypto ecosystem.
Read More: https://thehackernews.com/2025/12/fake-whatsapp-api-package-on-npm-steals.html