NPM Package with 56K Downloads Caught Stealing WhatsApp Messages
BackKoi ResearchNPM Package With 56K Downloads Caught Stealing WhatsApp MessagesTuval Admoni,,December 21, 2025IntroThe lotusbail npm package presents itself as a WhatsApp Web API library – a fork of the legitimate @whiskeysockets/baileys package. With over 56,000 downloads and functional code that actually works as advertised, it’s the kind of dependency developers install without a second thought. The package has been available on npm for 6 months and is still live at the time of writing.Behind that working functionality: sophisticated malware that steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor’s server.Koidex report for lotusbail packageWhat gets…
