The lotusbail npm package presents itself as a WhatsApp Web API library - a fork of the legitimate @whiskeysockets/baileys package. With over 56,000 downloads and functional code that actually works as advertised, it's the kind of dependency developers install without a second thought. The package has been available on npm for 6 months and is still live at the time of writing.
Behind that working functionality: sophisticated malware that steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor's server.
Koidex report for lotusbail package
What gets captured:
Authentication tokens and session keys
Complete message history (past and present)
Full contact lists with phone numbers
Media files and documents
Persistent backdoor access to your WhatsApp account
How It Works
... continue reading