Malicious npm Package ‘lotusbail’ Compromises WhatsApp Accounts
Cybersecurity researchers have identified a malicious package named ‘lotusbail’ on the npm repository, which masquerades as a functional WhatsApp API but is designed to intercept messages, steal credentials, and link the attacker’s device to the victim’s WhatsApp account. Since its upload in May 2025 by a user named ‘seiren_primrose,’ ‘lotusbail’ has been downloaded over 56,000 times, with 711 downloads occurring in the past week. The package remains available for download as of this writing.
The ‘lotusbail’ package is engineered to capture authentication tokens, session keys, message histories, contact lists, and media files. It achieves this by wrapping the WebSocket client used for WhatsApp communication, allowing it to intercept and exfiltrate data to an attacker-controlled server in encrypted form. Additionally, the package exploits the device linking process by using a hard-coded pairing code, enabling the attacker’s device to gain persistent access to the victim’s WhatsApp account without their knowledge.
This attack is particularly insidious because the malicious activity is triggered during the normal usage of the API. When a developer uses ‘lotusbail’ to authenticate and connect to WhatsApp, the malware activates, intercepting messages and linking the attacker’s device. The package also includes anti-debugging features that cause it to enter an infinite loop when debugging tools are detected, effectively freezing execution and evading analysis.
The discovery of ‘lotusbail’ underscores the growing sophistication of supply chain attacks targeting open-source repositories. Traditional security measures may not detect such threats, as the malicious code is embedded within functional software that appears legitimate. Developers are advised to exercise caution when incorporating third-party packages, thoroughly vetting their sources and monitoring for any unusual behavior in their applications.
