A harmful package hosted on the Node Package Manager (NPM) registry has been found impersonating a genuine WhatsApp Web API library, with the intent to spy on user activity. Disguised as a legitimate developer tool, the package is designed to siphon WhatsApp messages, harvest contact details, and ultimately take control of user accounts.
The threat originates from a fork of the widely used WhiskeySockets Baileys project. While it offers the same expected functionality, the compromised package was published on npm under the name lotusbail and has been available for at least six months, during which it was downloaded over 56,000 times.
The issue was uncovered by researchers at supply-chain security firm Koi Security. Their analysis revealed that the package is capable of capturing WhatsApp authentication tokens and session keys, monitoring all incoming and outgoing messages, and extracting sensitive data such as contact lists, media, and shared documents.
“The package wraps the legitimate WebSocket client that communicates with WhatsApp. Every message that flows through your application passes through the malware’s socket wrapper first,” the researchers explain.
“When you authenticate, the wrapper captures your credentials. When messages arrive, it intercepts them. When you send messages, it records them.”
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: