A malicious package in the Node Package Manager (NPM) registry poses as a legitimate WhatsApp Web API library to steal WhatsApp messages, collect contacts, and gain access to the account.
A fork of the popular WhiskeySockets Baileys project, the malicious package provides the legitimate functionality. It has been available on npm published under the name lotusbail for at least six months and has accumulated more than 56,000 downloads.
The
The lotusbail package on NPM
Source: BleepingComputer
Researchers at supply-chain security company Koi Security discovered the malicious package and found that it could steal WhatsApp authentication tokens and session keys, intercept and record all messages - both sent and received, and exfiltrate contact lists, media files, and documents.
"The package wraps the legitimate WebSocket client that communicates with WhatsApp. Every message that flows through your application passes through the malware's socket wrapper first," the researchers explain.
"When you authenticate, the wrapper captures your credentials. When messages arrive, it intercepts them. When you send messages, it records them."
Code to capture data
Source: Koi Security
... continue reading