Cybersecurity researchers found a bad package on npm. It looks like a real WhatsApp API. The package can read all messages. It can also connect the attacker’s device to the user’s WhatsApp account..
The package is called “lotusbail.” It was uploaded to the npm registry by a user named “seiren_primrose” in May 2025. Since then, it has been downloaded over 56,000 times. Around 711 downloads happened in the last week. The library is still available for download at the time of writing
The malware hides as a normal tool. It steals WhatsApp login details. It reads every message. It also collects contact information. The malware installs a backdoor and stays active on the system. It then encrypts the data and sends it to the attacker’s server. This was shared by Koi Security researcher Tuval Admoni in a report published over the weekend.
The malware can steal login tokens and session keys. It can also collect message history, contact lists with phone numbers, and media files. The library is based on the real @whiskeysockets/baileys package. That package is a trusted tool for WhatsApp Web. However, this fake version uses a harmful WebSocket layer. All login details and messages pass through it. This allows the malware to steal chats and credentials. The stolen data is encrypted and sent to a server controlled by the attacker.
The attack does not stop here. The package also has a hidden feature. It can keep long-term access to the victim’s WhatsApp account. It does this by taking control of the device linking process. The malware uses a hard-coded pairing code to link the attacker’s device.
Admoni explained that using this library links more than just your application. It also links the attacker’s device. The attacker then gets full and long-term access to the WhatsApp account. The user does not know that the attacker is connected.
By linking their device to the victim’s WhatsApp account, the attacker keeps access to chats and contacts. This access continues even after the package is removed from the system. The attacker’s device stays linked to the WhatsApp account. It will remain active until the user manually removes it from the app’s settings.
According to Koi Security’s Idan Dardikman, the harmful activity starts once the library is used to access WhatsApp.
Dardikman said the malware hides inside the WebSocket client. When a user logs in and starts sending or receiving messages, the spying begins. No extra action is needed beyond normal API use. The backdoor pairing code also runs during login. Because of this, the attacker’s device gets linked as soon as the app connects to WhatsApp.
The “lotusbail” package also has anti-debugging features. When it detects debugging tools, it enters an endless loop. This causes the program to freeze and stop working
“Supply chain attacks aren’t slowing down – they’re getting better,” Koi said. “Traditional security doesn’t catch this. Static analysis sees working WhatsApp code and approves it. Reputation systems have seen 56,000 downloads, and trust it. The malware hides in the gap between ‘this code works’ and ‘this code only does what it claims.'”
Malicious NuGet Packages Target the Crypto Ecosystem#
The disclosure comes after ReversingLabs reported 14 harmful NuGet packages. These packages pretend to be Nethereum and other crypto tools. Their goal is to steal money and sensitive data. When a transaction is more than $100, the funds are sent to the attacker’s wallet. Some packages also steal private keys and seed phrases.
The names of the packages, published from eight different accounts, are listed below –
- binance.csharp
- bitcoincore
- bybitapi.net
- coinbase.net.api
- googleads.api
- nbitcoin.unified
- nethereumnet
- nethereumunified
- netherеum.all
- solananet
- solnetall
- solnetall.net
- solnetplus
The packages use different tricks to look safe and trustworthy. They increase fake download numbers to gain trust. They also release many updates in a short time. This makes the packages appear active and well maintained. The campaign dates all the way back to July 2025.
The malicious code only activates when developers install these packages and use certain functions in their apps. One of the notable packages is GoogleAds.API. Instead of stealing wallet data, it targets Google Ads OAuth details and sends them to the attacker..
These values are very sensitive because they give full access to a Google Ads account. If attackers get this data, they can act like the real advertiser. They can view all campaign and performance data. They can create, edit, or delete ads. They can also spend unlimited money on fake or harmful ad campaigns, according to ReversingLabs.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Fusce vitae tortor varius, blandit turpis nec, condimentum ipsum. Maecenas augue augue, maximus sed gravida a, consequat sed lectus. Suspendisse ac finibus metus. Nulla id ante dolor. Sed vel ante at nisi tincidunt hendrerit ut nec ipsum. Phasellus magna nisi, porta at ante sit amet, facilisis aliquet nibh. Sed in dolor bibendum, eleifend tortor convallis, congue justo. Vestibulum eros est, rhoncus non purus eget, vehicula rutrum elit. Mauris a nunc eros. Nullam aliquam velit tempus imperdiet pulvinar. Proin viverra justo ac lorem venenatis faucibus.
Etiam non vehicula ipsum. Pellentesque pharetra, enim quis bibendum cursus, odio nulla accumsan ante, at efficitur tortor mauris sed metus. Morbi ultricies pharetra est eget vulputate. Suspendisse potenti. Ut posuere ligula ipsum, vitae tempor mauris lobortis et. Mauris auctor
But I got a dreaming and sprawling about one night, and somehow, Sam got pitched on the floor, and came near breaking his arm. Arter that, Sal said it wouldn’t do.
By the light of the now brilliant moons I saw that he was but a shadow of his former self, and as he turned from my caress and commenced greedily.