Malicious WhatsApp API Package ‘lotusbail’ Steals Credentials and Intercepts Messages
Table of Contents
A fraudulent package available on the npm repository, disguised as a legitimate WhatsApp API, has been identified as malware capable of stealing messages, contacts, and user credentials. The package, known as ‘lotusbail,’ has been downloaded over 56,000 times, posing a significant risk to developers and, ultimately, WhatsApp users.
Supply Chain Attack Targets Developers
Researchers first identified the malicious package in May 2025. The ‘lotusbail’ package, uploaded by a user named ‘lotusbail,’ represents a serious threat of supply chain attacks targeting developers through compromised packages.
How ‘lotusbail’ Operates
A detailed investigation by Koi Security, lead by Tuval Admoni, revealed the extent of the malware’s capabilities. According to the report, ‘lotusbail’ “steals your WhatsApp credentials, intercepts every message, collects your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor’s server.”
The malware targets sensitive details including authentication tokens, session keys, message histories, contact lists, and multimedia files. It functions by mimicking the legitimate @whiskeysockets/baileys library, but incorporates a malicious WebSocket wrapper that redirects intercepted data to the attackers’ servers.
“By using this library to authenticate, you not only bind your request, but also the attacker’s device,” one researcher noted. This allows cybercriminals to maintain persistent access to a victim’s WhatsApp account, even after the malware is removed. Users must manually unlink the attacker’s device through WhatsApp settings.
silent Activation and Persistent Access
The malicious package activates when a developer integrates the library into their application to connect to WhatsApp. Koi Security’s Idan Dardikman explained to The Hacker News that the malware wraps around the WebSocket client, triggering interception as soon as authentication and message exchange begin. Crucially, this process requires no additional user action, making it arduous to detect.
the backdoor pairing code activates during authentication, automatically linking the attacker’s device to the target WhatsApp account. This ensures attackers retain access to conversations, contacts, and files, even if the user uninstalls the malicious package.
Elegant Malware Design
The ‘lotusbail’ package is designed with anti-debugging capabilities, creating an infinite loop when security tools attempt to analyze its operation. This makes it challenging for security experts to understand and dismantle the malware.
Koi Security warns that attacks on the software supply chain are becoming increasingly sophisticated. Traditional security measures, such as static analysis and reputation systems based on download numbers, are proving ineffective against these hidden threats. This allows malware to blend in with legitimate tools and remain undetected for extended periods.
Broader Trend of Malicious Packages
The discovery of ‘lotusbail’ coincides with a surge in malware campaigns targeting developers and users of popular libraries. ReversingLabs recently identified 14 malicious NuGet packages impersonating Nethereum and other cryptocurrency-related tools in the .NET surroundings. These packages are designed to redirect funds or steal private keys from cryptocurrency transactions exceeding $100.
The identified packages include “binance.csharp,” “Bitcoin Core,” “bitapi.net,” “coinbase.net API,” “googleads.api,” “nbitcoin.unified,” “nethereumnet,” “nethereumunified,” “nethereum.all,” “solananet,” “solnetall,” “solnetall.net,” “solnetplus,” and “solnetunified.” Attackers employ tactics like inflating download counts and consistently publishing updates to create a false sense of security.This malicious activity began in July 2025.
This growing trend underscores the critical need for enhanced security measures and vigilance within the software advancement ecosystem.
