BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

New Malicious WhatsApp API Package Steals Messages, Hijacks Accounts

Malicious npm and NuGet Packages Steal WhatsApp Data and Cryptocurrency Credentials Through Persistent Backdoors and Sophisticated Evasion Techniques

  • A malicious npm package named lotusbail functions as a WhatsApp API but steals user credentials and messages.
  • lotusbail has been downloaded over 56,000 times since May 2025 and remains available for download.
  • The Malware intercepts chats, harvests contacts, installs a backdoor, and links the attacker’s device to the victim’s WhatsApp account persistently.
  • Several malicious NuGet packages impersonating cryptocurrency tools steal funds and sensitive data like private keys and OAuth tokens.
  • These attack packages use techniques such as inflated download counts and rapid version updates to appear legitimate.

A new malicious package called lotusbail has been discovered on the npm repository. Uploaded in May 2025 by a user named “seiren_primrose,” the package has been downloaded over 56,000 times, with hundreds of downloads continuing weekly. Although it functions as a WhatsApp API, it secretly captures every message and links the attacker’s device to the victim’s WhatsApp account, compromising user security.

- Advertisement -

According to a report by Koi Security researcher Tuval Admoni, the malware steals WhatsApp credentials, intercepts messages, gathers contacts, installs a persistent backdoor, encrypts data, and sends it to the attacker’s server. It captures authentication tokens, session keys, media, and document files, using a malicious WebSocket wrapper to intercept communication.

This package is based on @whiskeysockets/baileys, a legitimate TypeScript library for WhatsApp Web API interaction, but includes covert code that hijacks the device linking process with a hard-coded pairing code. This allows attackers to link their device to the victim’s WhatsApp account, gaining persistent access even if the package is removed. Admoni emphasized, “When you use this library to authenticate, you’re not just linking your application — you’re also linking the threat actor’s device.”

The malicious activity activates during normal authentication, wrapping the WebSocket client to intercept message data immediately. Additionally, lotusbail has anti-debugging features causing it to freeze when debugging tools are detected.

Separately, a set of malicious NuGet packages targeting the cryptocurrency ecosystem has been identified. These 14 packages impersonate well-known libraries like Nethereum, a .NET integration for Ethereum, and other crypto-related tools. Released from multiple accounts since July 2025, these packages divert transaction funds exceeding $100 to attacker-controlled wallets and steal private keys and seed phrases.

- Advertisement -

The malicious NuGet packages include names such as Binance.csharp, bitcoincore, coinbase.net.api, and googleads.api. Of note, the GoogleAds.API package steals Google Ads OAuth tokens, which provide full programmatic access to an advertising account, enabling attackers to read campaign data and run ads potentially with unlimited spending, as detailed by ReversingLabs.

To enhance perceived trust, these packages inflate download statistics and publish multiple versions rapidly. Their malicious code triggers only when installed by developers and integrated into other software, making detection difficult.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

LINE NEXT launches global stablecoin platform Unifi

LINE NEXT has launched Unifi, a non-custodial stablecoin platform, now available globally as it...

Saylor’s ‘Orange Dots’ Signal Fails to Clarify Bitcoin Strategy

Strategy founder Michael Saylor posted a cryptic signal on Sunday, prompting analysts to call...

Crypto’s $2T Crash Awaits BlackRock Shock & FOMO

Bitcoin has stabilized near $60,000 after a downturn erased $2 trillion from the crypto...

Cambridge: Ethereum Energy Intensity Low, Overall Use High

Ethereum consumes roughly 7.87 GWh annually, the second-lowest energy intensity per market value among...

Saylor and Back oppose BIP-110 fork over Bitcoin security fears

Michael Saylor and Adam Back have publicly opposed BIP-110, a temporary Bitcoin fork proposal...

Must Read

How to Buy VPN With Bitcoin Using CyberGhost VPN

In this step-by-step guide, you will learn how to purchase a VPN (Virtual Private Network) subscription using Bitcoin, a popular cryptocurrency, and CyberGhost VPN,...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading