NPM package with 56,000 downloads compromises WhatsApp accounts

securityaffairs.com

NPM package with 56,000 downloads compromises WhatsApp accounts

securityaffairs.com

Tony Bark@pawb.social to

cybersecurity@infosec.pub · 5 days ago

An NPM package with over 56,000 downloads stole WhatsApp credentials, hid its activity, and installed a backdoor.

Koi Security researchers warned that the NPM package ‘Lotusbail’, a WhatsApp Web API library and fork of ‘Baileys’, has been stealing users’ credentials and data.

The package has been available for six months and has had over 56,000 downloads. Lotusbail supports sending and receiving WhatsApp messages, wrapping the legitimate WebSocket client so all messages pass through it first, enabling the malicious capture of information.

The Lotusbail npm package works as a fully functional WhatsApp API, making it hard to detect because it is based on the legitimate Baileys library. It wraps WhatsApp’s WebSocket client, intercepting credentials, messages, contacts, and media while continuing normal operations.

You must log in or register to comment.

Chat

cybersecurity@infosec.pub

Create a post

You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

Visibility: Public

This community can be federated to other instances and be posted/commented in by their users.

48 users / day
88 users / week
561 users / month
2.05K users / 6 months
2 local subscribers
5.34K subscribers
943 Posts
2.01K Comments
Modlog