A fake which is assumed to be a malicious WhatsApp Web API package listed on the npm registry masquerades as a legitimate WhatsApp Web API library, enabling attackers to steal messages, harvest contacts, and take over accounts.
Which is a highly advanced malicious npm package called lotusbail was discovered by Koi Security security researchers in December 2025. It is intended to steal account information and create permanent backdoors, even though it poses as a useful WhatsApp Web API library (a fork of the authentic @whiskeysockets/baileys).
The malicious software offers the genuine functionality and is a fork of the well-known WhiskeySockets Baileys project which has more than 56,000 downloads and has been available on npm under the name lotusbail for at least six months.
The malicious software was discovered by researchers from supply-chain security firm Koi Security. They revealed that it was capable of stealing WhatsApp authentication tokens and session keys, intercepting and recording all sent and received conversations, and exfiltrating contact lists, media files, and documents.
The package encapsulates the authentic WebSocket client that interacts with WhatsApp. The researchers clarify that the malware’s socket wrapper is the first thing that every message that passes through your program goes through.
“The wrapper records your credentials after you authenticate. It intercepts messages as they arrive. The messages you send are recorded.
Before being exfiltrated, the data is encrypted using a bespoke RSA implementation and several layers of obfuscation, including Unicode trickery, LZString compression, and AES encryption.
The infected software includes malware that connects the attacker’s device to the victim’s WhatsApp account via device pairing in addition to the data stealing activity.
Even once the malicious NPM package is deleted, this gives the attacker ongoing access to the account. Until the victim manually disables the connected devices from WhatsApp settings, access is still available.
Lotusbail uses a set of 27 infinite loop traps to make debugging and analysis more difficult, according to Koi Security, which is probably why it has remained undetected for so long.
It is advised that developers who utilised the software delete it from the system and look for rogue associated devices on their WhatsApp account.
Developers should watch runtime behaviour for unexpected outbound connections or activity during authentication processes with new dependencies to evaluate their safety, according to Koi Security, as simply glancing at the source code to identify the dangerous lines is insufficient.
Take these steps if you have used lotusbail or dubious WhatsApp-related libraries:
Remove the Package: Take the package out of your project requirements right away.
Unlink Devices: On your primary mobile device, launch WhatsApp, select Settings > Linked Devices, and manually log out of any sessions that are suspicious or identified.
Audit Runtime: Keep an eye out for unusual traffic to unidentified domains in your application’s outgoing network connections.
Examine Other Packages: Naya-flore, nvlore-hsc, and @vreden/meta are more recent malicious packages that target WhatsApp developers; some of these programs contain “kill switches” that can erase local files.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
