- A malicious npm package named lotusbail functions as a WhatsApp API but steals user credentials and messages.
- lotusbail has been downloaded over 56,000 times since May 2025 and remains available for download.
- The Malware intercepts chats, harvests contacts, installs a backdoor, and links the attacker’s device to the victim’s WhatsApp account persistently.
- Several malicious NuGet packages impersonating cryptocurrency tools steal funds and sensitive data like private keys and OAuth tokens.
- These attack packages use techniques such as inflated download counts and rapid version updates to appear legitimate.
A new malicious package called lotusbail has been discovered on the npm repository. Uploaded in May 2025 by a user named “seiren_primrose,” the package has been downloaded over 56,000 times, with hundreds of downloads continuing weekly. Although it functions as a WhatsApp API, it secretly captures every message and links the attacker’s device to the victim’s WhatsApp account, compromising user security.
According to a report by Koi Security researcher Tuval Admoni, the malware steals WhatsApp credentials, intercepts messages, gathers contacts, installs a persistent backdoor, encrypts data, and sends it to the attacker’s server. It captures authentication tokens, session keys, media, and document files, using a malicious WebSocket wrapper to intercept communication.
This package is based on @whiskeysockets/baileys, a legitimate TypeScript library for WhatsApp Web API interaction, but includes covert code that hijacks the device linking process with a hard-coded pairing code. This allows attackers to link their device to the victim’s WhatsApp account, gaining persistent access even if the package is removed. Admoni emphasized, “When you use this library to authenticate, you’re not just linking your application — you’re also linking the threat actor’s device.”
The malicious activity activates during normal authentication, wrapping the WebSocket client to intercept message data immediately. Additionally, lotusbail has anti-debugging features causing it to freeze when debugging tools are detected.
Separately, a set of malicious NuGet packages targeting the cryptocurrency ecosystem has been identified. These 14 packages impersonate well-known libraries like Nethereum, a .NET integration for Ethereum, and other crypto-related tools. Released from multiple accounts since July 2025, these packages divert transaction funds exceeding $100 to attacker-controlled wallets and steal private keys and seed phrases.
The malicious NuGet packages include names such as Binance.csharp, bitcoincore, coinbase.net.api, and googleads.api. Of note, the GoogleAds.API package steals Google Ads OAuth tokens, which provide full programmatic access to an advertising account, enabling attackers to read campaign data and run ads potentially with unlimited spending, as detailed by ReversingLabs.
To enhance perceived trust, these packages inflate download statistics and publish multiple versions rapidly. Their malicious code triggers only when installed by developers and integrated into other software, making detection difficult.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Musk Hints at Tesla FSD Launch in UAE; TSLA Hits All-Time High
- Hedera Council Names GBBC as First Strategic Partner for Growth
- Bitcoin Tops $90K on Futures Speculation, Spot Demand Weak
- US Tech Firms Pledge $569B for AI Infrastructure Growth
- Cheaper Crypto Sanctions Screening Risks Compliance, Coverage Gaps Exposed
