Researchers at Koi Security have uncovered a malicious npm package that stole WhatsApp credentials and messages while functioning perfectly as a legitimate API library. The lotusbail package accumulated over 56,000 downloads in six months.
Researchers at Koi Security have exposed a sophisticated supply chain attack that rewrites the rules for npm malware. The lotusbail package, posing as a WhatsApp Web API library, stole authentication credentials, intercepted messages, and installed persistent backdoors—all while functioning flawlessly as advertised.
This marks the second major discovery from Koi's research team this week. Just days ago, we reported on their investigation into the GhostPoster campaign, which concealed malicious code inside Firefox extension logo files. The pattern emerging from their work suggests attackers are evolving beyond simple typosquats into far more dangerous territory.
The lotusbail package accumulated over 56,000 downloads across six months and remains live on the npm registry at the time of writing. What makes this case particularly alarming is that the package actually works.
Built as a fork of the legitimate @whiskeysockets/baileys library, lotusbail provided real WhatsApp messaging functionality. Developers could send messages, receive them, handle media files, and manage contacts exactly as the documentation promised. The code passed functionality tests and survived code reviews because it did exactly what it claimed to do—plus something extra.
According to Koi Security's analysis, the malware wrapped the legitimate WebSocket client that communicates with WhatsApp servers, intercepting every piece of data flowing through the connection. Authentication tokens, complete message history, contact lists, and media files all got duplicated and encrypted before exfiltration to attacker-controlled servers.
The most dangerous aspect of this attack involves WhatsApp's device pairing mechanism. Koi's researchers discovered that lotusbail includes a hardcoded pairing code buried in encrypted configuration strings. When developers authenticated their applications using this library, they unknowingly linked the attacker's device to their WhatsApp account.
This creates persistent access that survives even after the malicious package is removed. Uninstalling lotusbail from your project doesn't revoke the pairing—the attacker's device remains linked to your WhatsApp account until you manually unlink all devices through WhatsApp settings.
The malware also included 27 anti-debugging traps and four layers of obfuscation (Unicode manipulation, LZString compression, Base-91 encoding, and AES encryption) to hide the exfiltration server location. Custom RSA encryption—unnecessary for a legitimate WhatsApp library—was implemented specifically to encrypt stolen data before transmission.
If you're using npm packages in your development workflow, here are immediate steps to reduce supply chain risk:
Audit your dependencies now. Check if lotusbail appears anywhere in your project or its dependency tree. Search for lotusbail in your package.json and package-lock.json files.
Check linked WhatsApp devices. If you've used this package, open WhatsApp, go to Settings > Linked Devices, and manually unlink any devices you don't recognize. Removing the npm package alone won't fix this.
Implement dependency scanning. Tools like npm audit, Snyk, or Socket Security can flag suspicious package behaviors at install time—things like custom encryption in messaging libraries or anti-debugging code.
Review package behavior, not just code. Static analysis misses functional malware. Look for packages that implement cryptography they shouldn't need, contact external servers outside their documented purpose, or include obfuscation layers.
Monitor runtime behavior. Sandbox testing environments that watch what packages actually do during execution can catch data exfiltration attempts that code review misses.
Verify package authenticity. Check the maintainer's history, compare download patterns to similar legitimate packages, and look for red flags like recent ownership transfers or sudden version jumps.
Koi Security's research team has published a comprehensive technical breakdown of the lotusbail malware, including the complete attack chain, code samples showing the encryption implementation, details on the anti-debugging mechanisms, and indicators of compromise.
Their analysis demonstrates how attackers are professionalizing supply chain attacks with development practices like code comments, version control, and sophisticated obfuscation techniques. This isn't script-kiddie work—it's engineered malware designed to evade detection.
Read Koi Security's full technical writeup on their blog to understand the complete scope of this attack and see the actual code samples that reveal how the malware operates.
The lotusbail case makes one thing clear: download counts and working functionality are no longer reliable indicators of package safety. As Koi's research shows, the most dangerous npm packages are the ones that work exactly as promised—while doing something else entirely in the background.
