Cybersecurity researchers disclosed a malicious package on the npm registry that poses as a functional WhatsApp API but can exfiltrate credentials and messages. The library is published as lotusbail and has been downloaded more than 56,000 times since it was uploaded in May 2025 by a user named seiren_primrose, with 711 downloads in the past week. The package remained available at the time of reporting.
Researchers at Koi Security said the library includes functionality to steal WhatsApp authentication tokens, session keys, message history, contact lists, media files and documents, install a persistent backdoor and send encrypted copies of harvested data to an attacker-controlled server.
The malware achieves interception by wrapping the WebSocket client used to interact with the WhatsApp Web API, so authentication information and messages are routed through the malicious component. The package is reportedly inspired by the legitimate @whiskeysockets/baileys TypeScript library, which may help it appear functional to static analysis and users.
Koi researchers said the library also contains covert code to hijack WhatsApp’s device linking process by using a hard-coded pairing code that links an attacker device to a victim account, enabling persistent access even after the package is removed until the linked device is manually unlinked in WhatsApp settings. The code includes anti-debugging measures that reportedly send execution into an infinite loop if debugging tools are detected.
Separately, ReversingLabs disclosed 14 malicious NuGet packages that impersonate .NET cryptocurrency libraries such as Nethereum and other crypto-related tools, with injected code that can redirect transaction funds to attacker-controlled wallets or exfiltrate private keys and seed phrases.
Koi Security warned that supply chain attacks are increasingly able to evade traditional controls because working functionality can hide malicious behavior in the gap between “this code works” and “this code only does what it claims”.