The Silent Sync: How the “lotusbail” npm Package Hijacks WhatsApp Accounts

A malicious package named lotusbail has been uncovered in the npm repository, masquerading as a library for working with WhatsApp Web while quietly siphoning conversations and granting attackers persistent access to user accounts. According to Koi Security, the package has been downloaded more than 56,000 times. It was published roughly six months ago and, at the time of reporting, remained available for installation.

At first glance, everything appears legitimate. Lotusbail genuinely functions as the promised API. It is implemented as a fork of the widely used and reputable Baileys library (@whiskeysockets/baileys), which developers rely on to integrate WhatsApp into their own services via the WhatsApp Web protocol. This seemingly “normal” functionality lulls developers into a false sense of security: the dependency installs cleanly, messages send and arrive as expected, and the project is confidently pushed to production.

What follows is behavior that has no place in such a library. As described by Koi Security, the malicious code wraps the WebSocket client through which the application communicates with WhatsApp, granting it visibility into all traffic. During authentication, it intercepts session tokens and keys, then proceeds to copy incoming and outgoing messages, extract contact lists, and collect media files and documents—preparing the entire cache for exfiltration to attacker-controlled servers.

To avoid raising suspicion at the network level, the stolen data is not transmitted in plain form. Researchers point to a custom-built RSA implementation and multilayered obfuscation that render both the destination server and the data transfer itself opaque to superficial inspection. The package also employs anti-analysis techniques, including deliberate traps designed to frustrate debugging and dynamic behavior analysis.

The most troubling aspect, however, is the lingering “tail” the malware can leave behind even after the dependency is removed. WhatsApp allows additional devices to be linked via pairing codes, and, according to Koi Security, lotusbail interferes with this process to silently bind an attacker-controlled device alongside the legitimate application. The result is persistent access to conversations and contacts. Simply uninstalling the npm package does not resolve the compromise: the rogue device remains linked until it is manually removed in WhatsApp’s settings.

If lotusbail or a suspicious Baileys fork has ever been used in a production environment, it is prudent to assume the session may have been compromised. Developers should review the list of linked devices in WhatsApp and revoke any unfamiliar entries, while also auditing their dependency chain and the sources used in their build process. The lotusbail case starkly illustrates how modern supply-chain attacks are evolving: instead of breaking functionality, malicious packages increasingly preserve it—quietly appending a second, hidden execution path.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy