Malicious NPM Package ‘lotusbail’ Compromises WhatsApp Data of 56,000 Developers
A recently discovered malicious npm package named lotusbail has been found to steal WhatsApp messages and user data from thousands of developers worldwide. This package, downloaded over 56,000 times, masquerades as a legitimate WhatsApp Web API library while covertly executing malware in the background.
Deceptive Appearance and Functionality
Lotusbail presents itself as a fork of the trusted @whiskeysockets/baileys package, making it appear safe to developers seeking WhatsApp integration tools. Unlike typical malicious packages that fail or break quickly, lotusbail delivers the promised functionality for sending and receiving WhatsApp messages. This deceptive effectiveness allows it to pass code reviews and be deployed in production systems without raising suspicion. Developers install it, test its features, and remain unaware of the ongoing data theft.
Prolonged Undetected Operation
The package remained active on npm for six months and was still available at the time of its discovery. During this period, it silently collected authentication tokens, message histories, contact lists, media files, and maintained persistent backdoor access to infected WhatsApp accounts. Koi analysts identified this sophisticated malware campaign after detecting unusual behavioral patterns during runtime analysis of the package.
Scope of Data Theft
The stolen information includes complete WhatsApp session keys, all past and present messages, full contact directories with phone numbers, and any media or documents shared through the application. The malware captures this data by wrapping the legitimate WebSocket client that connects to WhatsApp servers, effectively creating a man-in-the-middle attack that duplicates everything passing through the connection.
Advanced Data Exfiltration Techniques
To conceal the stolen data, the malware employs a custom RSA encryption system before transmitting it to the attacker’s server. This additional encryption layer is unnecessary for legitimate WhatsApp libraries, as WhatsApp already provides end-to-end encryption. The custom crypto layer exists solely to encrypt stolen data, making it undetectable by network monitoring tools.
The exfiltration server address is obfuscated through multiple layers of protection, including Unicode variable manipulation, LZString compression, Base-91 encoding, and AES encryption. This multi-layered approach makes it extremely difficult to trace where the stolen data is being sent.
Persistent Backdoor Access
The malware also hijacks WhatsApp’s device pairing system by using a hardcoded pairing code encrypted with AES. This technique allows the attacker to link their own device to victim accounts, granting them complete control even after the malicious package is removed from the system.
Evasion of Detection
To avoid detection, the package includes 27 infinite loop traps that activate when debugging tools are present, making analysis extremely challenging for security researchers.
Implications and Recommendations
This incident underscores the critical importance of vigilance when incorporating third-party packages into development projects. Developers are urged to:
– Verify Package Authenticity: Always ensure that packages are sourced from reputable maintainers and have a history of trustworthiness.
– Regularly Audit Dependencies: Conduct periodic reviews of all project dependencies to identify and remove any that are unnecessary or potentially harmful.
– Monitor for Unusual Behavior: Implement monitoring tools to detect unexpected behaviors or data transmissions within applications.
– Stay Informed: Keep abreast of the latest security advisories and reports related to the tools and libraries in use.
By adopting these practices, developers can better protect their projects and user data from similar supply chain attacks.
