Two malicious NPM packages posing as WhatsApp development tools have been discovered deploying destructive data-wiping code that recursively deletes files on a developer's computers.
Two malicious NPM packages currently available in the registry target WhatsApp developers with destructive data-wiping code.
The packages, discovered by researchers at Socket, masquerade as WhatsApp socket libraries and were downloaded over 1,100 times since their publication last month.
Despite Socket having filed takedown requests and flagging the publisher, nayflore, both remain available at the time of writing.
The names of the two malicious packages are naya-flore and nvlore-hsc, though the same publisher has submitted more on NPM, like nouku-search, very-nay, naya-clone, node-smsk, and @veryflore/disc.
Although these additional five packages are not currently malicious, extreme caution is advised, as an update pushed at any time could inject dangerous code.
All these packages mimic legitimate WhatsApp developer libraries used for building bots and automation tools around the WhatsApp Business API.
Socket notes that these libraries have recently experienced a significant surge in demand, as more businesses utilize WhatsApp's Cloud API for customer communication.
Wiper code
Both naya-flore and nvlore-hs contain a function called 'requestPairingCode,' that is supposed to handle WhatsApp pairing, but which retrieves a base64 JSON file from a GitHub address.
... continue reading