Malicious npm package steals WhatsApp data from developers worldwide

Cybersecurity researchers have flagged a dangerous malicious package on npm that has been secretly stealing WhatsApp messages and sensitive user data from developers and production systems across the world.

The package, named lotusbail, masquerades as a legitimate WhatsApp Web API library and has been downloaded more than 56,000 times. It falsely presents itself as a fork of the trusted @whiskeysockets/baileys package, making it appear safe for developers integrating WhatsApp messaging into applications.

Malware that works like a real library

What makes lotusbail particularly dangerous is that it functions exactly as advertised. Developers who installed it were able to send and receive WhatsApp messages normally, allowing the package to pass basic testing and even code reviews.

Security analysts say this “working malware” model enabled the package to remain undetected on npm for nearly six months, quietly harvesting data in the background while being actively used in live systems.

Massive data theft uncovered

According to runtime analysis by Koi Security, the malware was collecting complete WhatsApp session keys, full message histories, contact lists with phone numbers, and shared media files.

The attack works by wrapping the legitimate WebSocket client that connects to WhatsApp servers, effectively creating a man-in-the-middle setup that duplicates all data flowing through the connection.

Custom encryption hides stolen data

Researchers found that the malware encrypts stolen data using a custom RSA-based system before exfiltration. This is a critical warning sign, as WhatsApp already provides end-to-end encryption and no additional cryptography is required in genuine libraries.

To further evade detection, the destination server address is concealed through multiple layers of obfuscation, including compression, encoding and AES encryption, making traffic analysis extremely difficult.

Persistent backdoor and anti-analysis tricks

The package also hijacks WhatsApp’s device pairing process using a hardcoded, encrypted pairing code, allowing attackers to link their own devices to compromised accounts. This gives them continued access even if the package is later removed.

In addition, researchers identified 27 infinite-loop traps designed to activate when debugging tools are detected, deliberately frustrating security analysis.

Warning for developers

Cybersecurity experts warn developers, including startups and IT teams in India’s tech hubs, to immediately audit dependencies, rotate WhatsApp credentials and remove the package if present. The incident highlights growing risks in open-source supply chains and the need for stricter package verification practices.