A popular WhatsApp library trusted by tens of thousands of developers was quietly spying on messages, contacts, and credentials, maintaining access even after being uninstalled.
For more than six months, a software package posing as a WhatsApp Web API library circulated freely on npm, the world’s largest JavaScript package repository.
However, cybersecurity firm Koi Security research showed that behind its functional facade, the library contains sophisticated malware capable of stealing WhatsApp credentials, copying entire message histories, harvesting contact lists, and maintaining persistent, covert access to compromised accounts.
The malicious package, called lotusbail, has been downloaded more than 56,000 times since its initial upload. The library masquerades as a fork of a widely used WhatsApp Web API library @whiskeysockets/baileys.
What makes this malware stand out is that it works as advertised. The functional code allows applications using the API to actually send and receive WhatsApp messages.
This is the key to the attack’s success.
“The social engineering here is brilliant: developers don't look for malware in code that works. They look for code that breaks,” said Koi researchers.
By delivering real value, lotusbail passed informal trust checks and made its way into production environments, where its malicious behavior could operate unnoticed.
What the fake WhatsApp API steals:
- Authentication tokens and session keys
- Entire message history
- Full contact lists with phone numbers
- Media files and documents
- Persistent backdoor access to your WhatsApp account
At its core, the package wrapped WhatsApp’s legitimate WebSocket client with an additional layer controlled by the attacker. Every interaction passes through this wrapper.
Behind the scenes, the malware captures session keys and authentication tokens. Incoming and outgoing messages are intercepted and duplicated. All shared media and contact data are also downloaded.
Before being forwarded to the attackers, the stolen data is encrypted using a custom RSA encryption.
Curious what others think about this story? Contribute your thoughts to the debate below.
According to researchers, this custom cryptography tricks network monitoring tools and prevents them from being detected.
The destination server receiving the data is deliberately obscured, hidden behind multiple layers of compression, encoding, and encryption. Its location was not visible in plain text anywhere in the code.
Have access to your WhatsApp even after deletion
Lotusbail not only steals sensitive data but also establishes persistent access to victims’ WhatsApp accounts. WhatsApp allows multiple devices to be linked to a single account using pairing codes.
The malware hijacks this process by embedding a hardcoded, encrypted pairing code into the package, effectively linking the attacker’s device together with the victim’s.
This grants the threat actor ongoing access to messages, contacts, and media even after the npm package is removed from the application.
“This means the threat actor has a key to your WhatsApp account. When you use this library to authenticate, you're not just linking your application – you're also linking the threat actor's device,” explained researchers.
“They have complete, persistent access to your WhatsApp account, and you have no idea they're there.”Uninstalling the API does not revoke that access. Victims must manually unlink all connected devices within WhatsApp’s settings, a step many would not know how to take.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked