A malicious NPM package called lotusbail impersonates a legitimate WhatsApp Web API library to steal user data and maintain persistent access. Researchers warn developers to remove this package and monitor their WhatsApp accounts for unauthorized linked devices. #WhatsApp #NPMMalware
Keypoints
- The lotusbail package has over 56,000 downloads and has been active for at least six months.
- It intercepts and records WhatsApp messages, contacts, media, and documents through a WebSocket wrapper.
- The malware encrypts stolen data with multiple obfuscation and encryption layers before exfiltration.
- It links the attackerβs device to the victimβs WhatsApp, enabling persistent access until manual device removal.
- Developers should avoid source code analysis alone and monitor runtime behavior for anomalies.