Researchers have uncovered a malicious npm package that poses as a legitimate WhatsApp API library while covertly enabling full account takeover. The package, named lotusbail, functions as advertised on the surface but secretly intercepts messages, harvests credentials, and permanently links an attacker-controlled device to victims’ WhatsApp accounts.

With more than 56,000 downloads since May 2025, the incident highlights how software supply chain threats continue to bypass traditional security controls by blending malicious behavior into fully functional developer tools.

The JavaScript ecosystem, particularly the npm registry, remains a high-value target for attackers due to its scale and implicit trust model. Developers routinely pull dependencies that appear legitimate, popular, and functional—conditions that attackers increasingly exploit.

This campaign underscores a growing trend: malware that does not break functionality, but instead weaponizes it. By embedding malicious logic inside otherwise working libraries, attackers can evade both static analysis and reputation-based defenses.

Security researchers identified lotusbail, an npm package advertised as a WhatsApp Web API client. Uploaded in May 2025, the library remained publicly available and actively downloaded, including hundreds of installs in the past week alone.

Under normal usage, the package behaves like a standard API client. However, once a developer uses it to authenticate with WhatsApp, the malware activates automatically—without requiring any special configuration or suspicious calls.

The malicious package is inspired by @whiskeysockets/baileys, a legitimate TypeScript library for interacting with the WhatsApp Web API.

Instead of implementing the API directly, lotusbail inserts a malicious WebSocket wrapper that silently intercepts:

All captured data is encrypted and exfiltrated to attacker-controlled infrastructure.

More critically, the package hijacks WhatsApp’s device-linking workflow using a hard-coded pairing code. During authentication, it silently links the attacker’s device to the victim’s WhatsApp account, granting persistent access that survives even after the package is removed.

Once an attacker’s device is linked, they gain long-term access to messages, contacts, and future communications until the victim manually removes the device from WhatsApp settings.

The malware also includes anti-debugging logic designed to stall execution when analysis tools are detected, complicating investigation and reverse engineering.

This makes lotusbail particularly dangerous in enterprise or SaaS environments where WhatsApp integrations are used operationally, potentially exposing sensitive business communications at scale.

This incident demonstrates a mature evolution in supply chain attacks. The malware succeeds precisely because it works as advertised.

Static scanners see valid WhatsApp functionality. Reputation systems see tens of thousands of downloads. Developers see an API that does its job.

The attack lives in the gap between “this code works” and “this code does only what it claims.”

Koi Security researchers note that the malicious behavior activates during standard API usage, making detection exceptionally difficult.

Traditional security controls struggle to identify threats that do not rely on obvious exploits, malicious binaries, or overtly suspicious behavior.