They identify a malicious npm package for WhatsApp with 56,000 downloads that allows access to accounts and theft of messages

A malicious package from the Node Package Manager (npm) administrator for WhatsApp Web allows malicious actors to access users’ messages, multimedia files, contacts and passwords undetectably, by posing as a legitimate library that already has 56,000 downloads.

The npm service is a software package manager used by JavaScript developers who publish packages for various functions. Thus, within the published packages, one has been identified that pretends to be a legitimate WhatsApp Web API library, but that in reality includes malicious code.

This package is a fork of the WhiskeySockets Baileys project, which provides functionality for creating bots or automations in WhatsApp Web intended for later use in the application.

However, published under the name ‘lotusbail’, this package identified by security company Koi Security also offers the ability to steal WhatsApp authentication tokens and session keys, as well as intercept sent and received messages to access their content and steal multimedia files, such as photographs, audios and videos.

Specifically, as security researchers explained in a statement, the package allows messages to be stolen because it affects the legitimate ‘WebSocket’ client that communicates with WhatsApp and that receives all messages from the application before

“When you authenticate, the container captures your credentials. When messages arrive, it intercepts them. When you send messages, it records them. Legitimate functionality continues to function normally; the ‘malware’ simply adds a second recipient for everything,” the company explained.

Likewise, the captured data is encrypted using a complete and customized RSA implementation, so that the data is encrypted before exfiltration so that “network monitoring does not detect it.”

On the other hand, malicious actors can also use this system to control the user’s account and access their conversations invisibly. This is because the package is equipped with a malicious feature that links the attacker’s device to the victim’s WhatsApp account, through the social network’s device pairing process.

Specifically, it is requested to generate a random string of 8 characters, it is entered into the new device and it is possible to pair it, since the ‘malware’ hijacks the process with a pairing code that is also encoded.

With all this, to prevent access to the account, it is recommended that users review the linked devices in the ‘Settings’ section and, if an unknown device is displayed, unlink it from their account automatically.

This package with malicious code has been active for six months and, according to cybersecurity researchers, it already has 56,000 downloads on npm. In this framework, they recommend that developers monitor the behavior of the platform at runtime to detect unexpected activity and know if malicious code is being used.

Likewise, they have also warned that uninstalling the npm package removes the malicious code, but the threat actor’s device remains linked to the WhatsApp account, so it must be unlinked manually.