Cybersecurity researchers have revealed details of a new malicious package on the npm repository. This package serves as a fully functional WhatsApp API, but also includes the ability to intercept all messages and link the attacker’s device to the victim’s WhatsApp account.
The package named ‘lotusbail’ has been downloaded more than 56,000 times since it was first uploaded to the registry in May 2025 by a user named ‘seiren_primrose’. 711 of those downloads occurred in the last week. This library is still available for download at the time of writing.
Disguising itself as a functional tool, the malware “steals WhatsApp credentials, intercepts all messages, collects contacts, installs a persistent backdoor, and encrypts everything before sending it to the attacker’s servers,” Koi Security researcher Tuval Admoni said in a report released over the weekend.
Specifically, it has the ability to capture authentication tokens and session keys, message history, contact lists including phone numbers, and media files and documents. More importantly, this library takes inspiration from @whiskeysockets/baileys, a canonical WebSocket-based TypeScript library for interacting with the WhatsApp Web API.
This is accomplished through a malicious WebSocket wrapper through which credentials and messages are routed, allowing credentials and chats to be captured. The stolen data is sent in encrypted form to a URL controlled by the attacker.
The attack doesn’t stop there, as the package also contains a secret feature that uses a hard-coded pairing code to hijack the device’s linking process and create permanent access to the victim’s WhatsApp account.
“When you use this library for authentication, you’re not only linking your application, you’re also linking the threat actor’s device,” Admoni said. “They have complete and permanent access to your WhatsApp account, but you don’t know they’re there.”
Linking a device to a target’s WhatsApp not only provides continued access to contacts and conversations, but also allows persistent access even after the package is uninstalled from the system, as the threat actor’s device remains linked to the WhatsApp account until unlinked by going to the app’s settings.
Idan Dardikman from Koi Security told The Hacker News that developers using this library to connect to WhatsApp will trigger malicious activity.
“The malware wraps the WebSocket client, so once it authenticates and starts sending and receiving messages, it starts eavesdropping,” Dardikman said. “No special functionality is required beyond normal use of the API. The backdoor pairing code is also activated during the authentication flow, so the attacker’s device is linked the moment you connect your app to WhatsApp.”
In addition, “lotusail” includes an anti-debug feature that will enter an infinite loop trap and freeze execution if a debug tool is detected.
“Supply chain attacks are not slowing down. The situation is getting worse,” Coy said. “Traditional security doesn’t catch this. Static analysis sees and approves working WhatsApp code. Our reputation system sees 56,000 downloads and is trusted. Malware hides in the gap between ‘this code works’ and ‘this code only does what it claims to do.'”
Malicious NuGet packages targeting the crypto ecosystem
This disclosure comes after ReversingLabs shared details of 14 malicious NuGet packages that impersonate Nethereum, the .NET integration library for the Ethereum decentralized blockchain. Other cryptocurrency-related tools redirect transaction funds to attacker-controlled wallets or leak private keys or seed phrases if the transfer amount exceeds $100.
The names of packages published by eight different accounts are listed below.
- binance.csharp
- bitcoin core
- bybitapi.net
- coinbase.net.api
- googleads.api
- nbitcoin.unified
- netherium net
- integrated
- Netherium.all
- Solana Net
- Solnetol
- solnet all net
- solnet plus
- solnet integration
These packages utilized several techniques to lull users into a false sense of security, including inflating download numbers and publishing dozens of new versions in a short period of time to give the impression that they were actively maintained. This campaign is retroactive to July 2025.
Malicious functionality is injected by the developer in such a way that it is triggered only when the package is installed and the specific functionality is embedded in other applications. Noteworthy among the packages is GoogleAds.API. It focuses on stealing Google Ads OAuth information rather than leaking the secrets of wallet data.
“These values are highly sensitive as they allow full programmatic access to Google Ads accounts. Once leaked, an attacker could impersonate the victim’s advertising client, read all campaign and performance data, create or modify ads, and spend unlimited funds on malicious or fraudulent campaigns,” ReversingLabs said.
