The Daily Patch
Back to News
general🌐InternationalThe Hacker News

Fake WhatsApp API Package on npm Steals Messages, Contacts, and Login Tokens

Monday, December 22, 2025

Fake WhatsApp API Package on npm Steals Messages, Contacts, and Login Tokens

What

The 'lotusbail' package, which appears to provide legitimate functionality for WhatsApp, actually intercepts messages and steals sensitive data such as authentication tokens and contact lists. It employs a malicious WebSocket wrapper that routes data through an attacker's device, enabling persistent access to victims' accounts even after the package is uninstalled. This incident highlights the growing sophistication of supply chain attacks in the software development ecosystem.

Where

Global, affecting users of the npm repository and WhatsApp.

When

The package has been available since May 2025 and has accumulated significant downloads over the past six months.

Key Factors

  • The package uses a malicious WebSocket wrapper to intercept and exfiltrate data.
  • It can link an attacker's device to a victim's WhatsApp account, allowing ongoing access.
  • The malware includes anti-debugging features to evade detection.

Takeaways

  • Developers should scrutinize third-party packages and their sources before integration.
  • The incident underscores the need for enhanced security measures in software supply chains.
  • Regularly audit and monitor dependencies for suspicious activity.

Reported by 2 Sources

USThe Hacker NewsBleepingComputer

Similar News

Sedgwick Government Solutions Confirms Ransomware Attack

Sedgwick Government Solutions Confirms Ransomware Attack

Analyst Debugs Slow DNS Response Times Using Tshark

Analyst Debugs Slow DNS Response Times Using Tshark

Rethinking Attack Surface Management ROI: Focus on Risk Reduction

Rethinking Attack Surface Management ROI: Focus on Risk Reduction

VVS Stealer Leverages Pyarmor for Obfuscated Discord Data Theft

VVS Stealer Leverages Pyarmor for Obfuscated Discord Data Theft