0
0
An npm package with over 56,000 downloads pretends to be a functioning WhatsApp API library – but in reality, it steals everything from messages and contacts to login details and secretly takes over entire user accounts.
WhatsApp API: Popular npm package is a dangerous spy tool
The malicious package is called lotusbail and, according to Tuval Admoni from security company Koi Security, was freely available on npm for over six months. Even at the time of publication of the blog post on December 21, 2025, about the vulnerability, the WhatsApp API library was reportedly still accessible.
What makes it particularly treacherous is that the code actually works as advertised. It was developed based on the legitimate Baileys library, which provides a popular interface to the WhatsApp API. This allowed developers to easily integrate the malicious variant into existing projects without immediately arousing suspicion.
However, behind the seemingly harmless software component lies sophisticated spyware. All WhatsApp communication runs over a WebSocket connection. This is a permanent, bidirectional communication channel between the messenger and a server that enables real-time communication by establishing a single, long-lived connection instead of opening a new one for each request, as is the case with HTTP. This allows the malicious WhatsApp API library to intercept all data: authentication tokens, complete message histories, contact lists, and even media files. “Everything […] is duplicated and prepared for exfiltration,” explains Admoni.
Quadruple encryption and hidden backdoor
Particularly striking is the technical effort the attackers put into covering their tracks. The malware package layers multiple layers of protection and camouflage, consisting of compression, recoding, character tricks, encryption, and key protection, to hide its actual content so that it no longer looks like “normal” code or normal data. Only after this multi-step process is the sensitive data transmitted to an external server.
But that’s not all: the WhatsApp API library also abuses the messenger’s device linking process. This permanently connects the attacker’s device to the victim’s account – even if the package has already been uninstalled. This allows access to messages and contacts to remain without users noticing.
What victims can do
An npm package is a ready-made code module for JavaScript (often also TypeScript) that you can import into your own project instead of writing it yourself. npm – the “Node Package Manager” – is the tool that finds, downloads, and neatly manages these modules, including versions, so that a project works the same on different computers.
This is mainly used in web development, which means that anyone who uses WhatsApp normally in everyday life is not initially a potential victim for the criminals behind the manipulated WhatsApp API library. For those who come into regular contact with it and could suffer damage from lotusbail, the following steps are important.
Remove all linked WhatsApp devices: Open the messenger on your smartphone and delete all unknown or suspicious connections under “Linked Devices.” This will disconnect the attackers.
Re-secure WhatsApp access: Log in again on a different device. This will automatically disconnect all other devices – including those of the attackers.
Delete the package from your project: Remove lotusbail completely from your code and check your project dependencies with npm audit or similar tools for other suspicious packages.
Change all affected access data: Reset your WhatsApp session and also change any API keys, tokens, or passwords that were used in connection with the project.
Report incidents and secure for the future: Report the package to npm and inform your team. In future, check new libraries more carefully to ensure they are from trustworthy sources.
– Sources: Koi Security, own research/heute.at/picture: pixabay.com
This post has already been read 1741 times!
