vulnerability🌐InternationalLe Monde Informatique
Malicious npm Package 'lotusbail' Steals WhatsApp Data, Establishes Persistence
Wednesday, December 31, 2025
What
A trojanized npm package named "lotusbail" was found to act as a malicious proxy for a legitimate WhatsApp client, stealing sensitive user data including messages, contacts, and session tokens. This is critical because it compromises user privacy and allows attackers to maintain control over WhatsApp accounts even after the package is removed.
Where
Developers using Node.js and WhatsApp Web API libraries are affected, particularly those who downloaded the "lotusbail" package from npm.
When
Discovered by Koi Security researchers after being available on npm for 6 months, with over 50,000 downloads.
Key Factors
- •The "lotusbail" package functions as a malicious wrapper around a legitimate WhatsApp WebSocket client, transparently intercepting and exfiltrating sensitive data.
- •Stolen data is encrypted and obfuscated using custom RSA, AES, and multiple obfuscation layers (LZString, Base-91) to evade network monitoring tools.
- •The malware achieves account persistence by abusing WhatsApp's multi-device pairing, embedding a hardcoded pairing code that keeps the attacker's device connected even after package uninstallation.
Takeaways
- →Developers should implement runtime behavior monitoring for third-party packages, rather than relying solely on static analysis or reputation, to detect hidden malicious logic.
- →WhatsApp users should regularly review and unlink unknown devices from their linked devices settings to mitigate persistent access from compromised accounts.
Read Full Article
Opens original article on Le Monde Informatique
