Working Library. Hidden Trojan.
The lotusbail npm package — a fork of the Baileys WhatsApp library with 56,000+ downloads — contained malware that captures auth tokens, full message history, contacts and media, and installs a persistent backdoor using a hardcoded pairing code.
A trusted npm package with 56K+ installs was quietly duplicating every WhatsApp message and pairing the attacker to victims' accounts. It worked like a legit library — and that's why it failed security checks.
The lotusbail npm package — a fork of the Baileys WhatsApp library with 56,000+ downloads — contained malware that captures auth tokens, full message history, contacts and media, and installs a persistent backdoor using a hardcoded pairing code.
Source: Koi Research — Source link
Highlights
| Metric | Value | Notes |
|---|---|---|
| Package | lotusbail — fork of @whiskeysockets/baileys | |
| Downloads | 56,000+ npm downloads | |
| Market presence | Available on npm for 6 months and still live at time of writing | |
| What it steals | Authentication tokens; complete message history; full contact lists; media and documents; persistent backdoor access | |
| Evasion & exfiltration | Custom RSA encrypts stolen data; exfiltration server hidden via Unicode manipulation, LZString, Base-91 and AES | |
| Persistence & anti-analysis | Encrypted hardcoded pairing code links attacker device permanently; 27 infinite-loop traps detect debuggers and sandboxes |
Key points
- Malicious code was embedded in a fully functional WhatsApp API fork, increasing trust and adoption.
- The package wraps the WebSocket client to duplicate every message, credential and file before normal processing.
- Stolen data is encrypted with a custom RSA implementation prior to transmission to evade network detection.
- An AES-encrypted hardcoded pairing code links the attacker's device to victims' WhatsApp accounts, persisting after package removal.
- Four layers of obfuscation plus 27 anti-debugging traps were used to hinder static and dynamic analysis.
- Traditional checks (static analysis, reputation signals, marketplace review) can miss working, well-engineered supply-chain malware.
- Detecting these attacks requires behavioral/runtime analysis that watches what packages actually do at execution time.
Timeline
- December 21, 2025 — Koi Research publishes analysis of the lotusbail npm package
Why this matters
Supply-chain malware that functions as advertised bypasses static reviews and reputation systems. The result: credential theft, account takeover, and persistent access that survives package removal. Organizations need runtime behavioral controls and package behavior monitoring to detect these sophisticated attacks.
