Worrying WhatsApp attack can steal messages and even accounts - here's how to stay safe from "poisoned" attack

News
By published

A fork of a popular project was found on npm

Cyber crime and security vector concept showing a laptop, credit card and open padlock.
(Image credit: Shutterstock / Jozsef Bagota)
  • Malicious NPM package lotusbail hijacks WhatsApp accounts, stealing tokens, messages, and contacts
  • Attackers link their device via WhatsApp pairing, persisting even after package removal
  • Package had 56,000+ downloads before discovery; developers urged to verify sources carefully

Node Package Manager (NPM) registry users are being targeted with malware that takes over their WhatsApp accounts, steals messages, and contacts lists, experts have warned.

Cybersecurity researchers Koi Security recently discovered a fork of the popular WhiskeySockets Baileys project, an open source TypeScript/JavaScript library that provides a WebSocket-based API for interacting with the WhatsApp Web protocol, letting developers programmatically connect to WhatsApp as a companion device.

The malicious fork, named ‘lotusbail’ has all the same functionality as the legitimate project, but it also steals WhatsApp authentication tokens and session keys. Furthermore, it intercepts and records all messages, pulls contacts, media files, and all other documents, to a third-party server.

Taking over WhatsApp accounts

"The package wraps the legitimate WebSocket client that communicates with WhatsApp. Every message that flows through your application passes through the malware's socket wrapper first," Koi Security said in its report.

"When you authenticate, the wrapper captures your credentials. When messages arrive, it intercepts them. When you send messages, it records them."

But perhaps most alarmingly, the package links the attacker’s device with the victim’s WhatsApp account through the app’s pairing feature. That means that even if the victim removes the malicious NPM package, their WhatsApp account remains compromised until the link is manually disconnected.

The malware was sitting on npm for at least half a year, and during that time it amassed more than 56,000 downloads.

NPM is one of the world’s most popular public online registries hosting JavaScript packages published via npm. It allows developers to discover, download, and manage open source and private packages used in Node.js and JavaScript projects.

As such, it is constantly bombarded with all sorts of scams and hack attacks, from forked projects to typosquatted ones. To stay safe, devs are advised to be extra careful when downloading and running anything, even projects with thousands of downloads.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.