A malicious npm package disguised as a WhatsApp Web API has been downloaded over 56,000 times. It steals account credentials, intercepts all messages, and can give attackers permanent access. Learn how to check if you're affected and what to do.

Continue reading

A security researcher demonstrated how three patched OpenClaw vulnerabilities can be chained from a WhatsApp message to achieve credential theft, sandbox escape, and host-level code execution, exposing architectural risks in AI agents.
The most dangerous malware isn't what breaks your application—it’s what makes it work perfectly while betraying you. A malicious npm package downloaded 56,000 times demonstrates this exact deception.
In the crowded ecosystem of npm packages, the most effective camouflage isn't invisibility—it's utility. The `lotusbail` package, published in May 2025 by user `seiren_primrose`, presented itself as a fork of the legitimate `@whiskeysockets/baileys` WhatsApp Web API library. With over 56,000 downloads in six months, it passed the most basic security test: it worked.
The package's malicious functionality operates through a surgical wrapper around the library's WebSocket client. Rather than replacing or breaking existing functionality, it intercepts the data stream at the transport layer, creating a perfect man-in-the-middle position. Every authentication event, message transmission, and contact synchronization passes through this malicious filter.
The attack achieves two distinct objectives: immediate data exfiltration and persistent access establishment. While credentials and messages are encrypted through a custom four-layer obfuscation pipeline for exfiltration, the malware simultaneously executes WhatsApp's device-pairing protocol with attacker-controlled credentials. This dual-action approach represents an evolution in supply-chain attacks—not just stealing data, but establishing permanent footholds.
The technical execution reveals a threat actor with deep understanding of both JavaScript ecosystems and WhatsApp's architecture. The attack follows a precise sequence:
graph TD
A[Developer installs lotusbail] --> B[Package loads & wraps WebSocket client]
B --> C{WhatsApp Authentication}
C --> D[Capture tokens/session keys]
C --> E[Inject pairing code for attacker device]
D --> F[Data Processing Pipeline]
E --> G[Persistent Access Established]
subgraph F [Four-Layer Obfuscation]
F1[Custom RSA Encryption] --> F2[Unicode Variable Manipulation]
F2 --> F3[LZString Compression]
F3 --> F4[Base-91 Encoding]
F4 --> F5[AES Final Encryption]
end
F5 --> H[Exfiltration to C2]
G --> I[Access persists after package removal]The Wrapper Architecture: Unlike typical malicious packages that replace entire modules, `lotusbail` uses JavaScript's prototype inheritance to intercept method calls. The wrapper captures:
The Persistence Mechanism: This represents the most insidious innovation. During the normal device-linking flow, the malware injects a hardcoded pairing code that connects an attacker-controlled device to the victim's WhatsApp account. The brilliance lies in WhatsApp's architecture: once a device is linked, it remains authorized until explicitly removed via the primary device's settings. This creates what security researchers term a "zombie access"—surviving even after the initial infection vector is eliminated.
Evasion Techniques: The package includes 27 conditional infinite loops triggered by debugging environments, sandbox detection, or specific process arguments. Each trap uses different detection methods (process inspection, timing analysis, environment variables) to frustrate automated analysis systems.
| Type | Value | Context & Significance |
|---|---|---|
| npm Package | `lotusbail` | Primary infection vector; functional wrapper around legitimate baileys library |
| Publisher | `seiren_primrose` | Likely pseudonymous account; publishing pattern suggests targeted attack |
| Behavioral | Custom RSA + 4-layer obfuscation | Unicode manipulation → LZString compression → Base-91 encoding → AES encryption |
| Behavioral | 27 anti-debugging infinite loops | Professional-grade evasion targeting security researchers and automated sandboxes |
| Tactic | Technique ID | Technique Name | Implementation in lotusbail |
|---|---|---|---|
| Initial Access | T1552.001 | Unsecured Credentials | Steals WhatsApp authentication tokens via WebSocket interception |
| Collection | T1056.001 | Input Capture | Intercepts all messages, contacts, and media through API wrapper |
| Exfiltration | T1048.003 | Exfiltration Over Encrypted Channel | Custom encryption stack (RSA + AES) with multiple encoding layers |
Traditional dependency scanning tools failed here because `lotusbail` wasn't vulnerable—it was malicious. Detection requires behavioral analysis and runtime monitoring.
YARA Rule for Static Detection: ```yara rule NPM_WhatsApp_Stealer_lotusbail { meta: description = "Detects lotusbail malware components and obfuscation patterns" author = "SecureBlink Threat Intelligence" reference = "https://www.koi.ai/blog/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages"
strings: // Package identification $pkg_json = "\"name\": \"lotusbail\"" ascii wide
// Obfuscation markers $lzstring = /LZString\.(compressToBase64|decompressFromBase64)/ ascii $base91 = /[0-9A-Za-z!#$%&()*+,\-./:;<=>?@^_`{|}~]{90,}/ ascii
// Anti-debugging patterns $while_true = /while\s\(\strue\s\)\s\{\s*\}/ ascii $debugger_check = /debugger|console\.debug|devtools/ nocase ascii
condition: (2 of ($pkg_json, $lzstring, $base91)) or (3 of ($while_true, $debugger_check) and filesize < 2MB) } ```
Runtime Detection Queries:
For Security Analysts - SIEM Hunting: ```sql -- Splunk/Sigma rule equivalent index= (process_name="node.exe" OR process_name="node") command_line="lotusbail*" | stats count by host, user, command_line ```
For Malware Analysts - Behavioral Indicators:
Log Sources for Investigation:
# Recursive search for lotusbail dependency
find . -name "package.json" -type f -exec grep -l "lotusbail" {} \;
# Force removal and cleanup
npm uninstall lotusbail --save
rm -rf node_modules package-lock.json
npm cache clean --forceRisk Rating: HIGH (CVSS-equivalent 7.8)
Impact Dimensions:
Vertical-Specific Concerns:
CISO Priority Actions:
The lotusbail incident redefines the threat model: your dependencies aren't just vulnerable—they can be perfectly functional, expertly weaponized, and persistently malicious.

Millions of driver's license records were exposed in a massive data breach, raising identity theft risks and highlighting critical data security failures.
| Artifact | Hardcoded WhatsApp pairing code | Enables persistent device access that survives package removal |
| T1098.002 |
| Account Manipulation |
| Injects device pairing code for permanent WhatsApp access |
| Defense Evasion | T1027.010 | Command Obfuscation | Four-stage encoding/encryption pipeline for exfiltrated data |
| Defense Evasion | T1497.003 | Time-Based Evasion | Infinite-loop traps triggered by debugging/sandbox detection |