A malicious npm package named lotusbail has been discovered impersonating a legitimate WhatsApp Web API client library. For several months it was quietly integrated into projects by unsuspecting developers, while its hidden functionality enabled attackers to intercept WhatsApp conversations, exfiltrate contacts and establish persistent access to victims’ WhatsApp accounts.
Malicious npm package lotusbail disguised as WhatsApp Web API client
According to analysis by Koi Security, lotusbail is a fork of the popular open-source project WhiskeySockets Baileys, widely used to integrate applications with WhatsApp Web. The package remained available in the npm registry for at least six months and accumulated more than 56,000 downloads, giving the attackers broad reach across the JavaScript ecosystem.
The key to this campaign’s effectiveness was that lotusbail actually delivered the functionality developers expected: a fully working WhatsApp Web client. Because the visible features behaved correctly, the package blended into existing codebases and passed cursory reviews and basic automated checks, appearing to be just another infrastructure dependency.
How the lotusbail malware intercepts WhatsApp data
Abusing WebSocket client to hijack authentication and sessions
Koi Security’s reverse engineering shows that the malicious logic in lotusbail is implemented as a wrapper around the legitimate WebSocket client used to talk to WhatsApp’s backend. All traffic between the application and WhatsApp is transparently routed through this malicious layer first.
During the WhatsApp Web login process, the wrapper captures authentication tokens and session keys before handing them to the genuine library. The same applies to user data: incoming and outgoing messages, contact lists, attachments, media files and documents are all accessible to the malware before they reach the normal client code.
By simply including lotusbail as a dependency, developers unintentionally turned their applications into full-featured surveillance tools for attackers, giving them visibility into users’ WhatsApp traffic and the ability to reuse stolen credentials.
Multi-layer obfuscation and encrypted exfiltration
The stolen WhatsApp data is not sent to the attackers in plain text. Researchers identified a custom RSA implementation combined with several obfuscation layers, including Unicode manipulation, LZString-based compression and AES encryption.
Only after passing through all these stages are the data packages transmitted to the attackers’ command-and-control (C2) infrastructure. Such multi-layer obfuscation significantly complicates static and dynamic analysis and makes it harder for network monitoring tools to distinguish the exfiltration from legitimate encrypted traffic.
Persistent WhatsApp access via Linked Devices feature
Beyond one-time token theft, lotusbail can silently pair an attacker-controlled device to the victim’s WhatsApp account using WhatsApp’s standard multi-device feature (Linked Devices). This establishes a long-term backdoor to the victim’s chats.
Even if the malicious npm package is later removed from the project or the runtime environment, the attacker’s paired device can continue to receive messages, send messages on the victim’s behalf and request fresh tokens. Unless the user manually checks the “Linked devices” section in WhatsApp settings and revokes unknown sessions, this access remains largely invisible to traditional endpoint security tools.
Why the malicious npm package evaded detection for months
Koi Security reports that lotusbail’s code contains at least 27 anti-analysis traps using infinite loops, designed to frustrate both manual reverse engineering and automated sandboxing. These anti-debug and anti-reversing techniques raise the cost of investigation and can cause automated tools to time out or misclassify the sample.
The fact that lotusbail looked like a normal fork of a widely used open-source library, and that its core WhatsApp Web API functionality worked as advertised, further reduced suspicion. In many development teams, third-party “infrastructure” dependencies are only skimmed at the source level, and their runtime behavior is rarely monitored in depth, especially when the package appears to be a community-standard solution.
This incident mirrors a broader trend: software supply chain attacks via ecosystems like npm and PyPI have become a primary vector for compromising both consumer devices and enterprise infrastructure. Previous real-world examples include the compromise of the event-stream npm package and malicious versions of ua-parser-js, which demonstrated how quickly malicious updates can propagate through transitive dependencies.
Incident response for teams that used lotusbail
Immediate steps for affected developers and organizations
Projects and companies that integrated lotusbail should take the following actions as quickly as possible:
- Remove the lotusbail package from all dependencies, build environments and deployment artifacts.
- Inventory all repositories and environments where the library might have been used, including legacy branches, CI systems and test environments.
- Ask users to review the “Linked devices” section in WhatsApp and manually remove any unknown or suspicious devices.
- Rotate all keys and tokens associated with WhatsApp integrations, chatbots and automation workflows that relied on the compromised library.
Strengthening npm software supply chain security
To reduce the risk of similar npm malware incidents, security and engineering teams should adopt stricter software supply chain controls:
- Combine source code review with dynamic behavior analysis in a sandbox, paying special attention to unexpected network connections and file system access.
- Monitor outbound connections, especially during user authentication flows and interactions with messaging platforms or other sensitive services.
- Use Software Composition Analysis (SCA) tools, signed artifacts and lock files to track the exact versions of dependencies in use and quickly identify suspicious updates.
- Apply the principle of least privilege by minimizing the secrets and permissions granted to services that interact with external APIs such as WhatsApp.
- Formalize the process for adopting new npm packages, including manual review, verification of maintainer reputation, scrutiny of unexpected forks of popular libraries and continuous monitoring for high-risk indicators.
The lotusbail case underscores that even familiar, widely used npm libraries can become vectors for stealthy compromise. Strengthening dependency governance, monitoring application behavior at runtime and enforcing rigorous onboarding processes for open-source components are now essential parts of secure development. Teams that treat software supply chain security as a first-class concern are far better positioned to prevent a seemingly harmless WhatsApp Web helper library from turning into a powerful tool for data theft and account takeover.
