Recently, a malicious NPM package called Lotusbail, masquerading as a WhatsApp Web API library, secretly intercepted authentication tokens, messages, contacts, and media from developers’ applications and exfiltrated the data after encrypting it to evade detection. The supply chain attack also hijacked WhatsApp’s device pairing process to give attackers persistent backdoor access to accounts, which remains even after uninstalling the package unless all linked devices are manually removed.
SecurityWeek has more on this here: https://www.securityweek.com/npm-package-with-56000-downloads-steals-whatsapp-credentials-data/
CEO of DryRun Security, James Wickett had this to say:
“Backdoors don’t just happen to other people. They happen inside real organizations, often through code that looks legitimate at first glance. Sometimes it’s a malicious dependency, sometimes it’s copied or AI-generated code, and sometimes it’s an internal actor abusing trust. As development accelerates, security teams need visibility into what’s being added to the codebase and the ability to flag suspicious behavior early, so risky changes get reviewed before they turn into credential theft or persistent access in production.”
Developers need to make sure that the code that they use is secure. Otherwise they will get into a situation that isn’t good for them or the people who use their apps.
Related
This entry was posted on December 24, 2025 at 8:49 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Malicious NPM package called Lotusbail pulls of a supply chain attack to swipe data
Recently, a malicious NPM package called Lotusbail, masquerading as a WhatsApp Web API library, secretly intercepted authentication tokens, messages, contacts, and media from developers’ applications and exfiltrated the data after encrypting it to evade detection. The supply chain attack also hijacked WhatsApp’s device pairing process to give attackers persistent backdoor access to accounts, which remains even after uninstalling the package unless all linked devices are manually removed.
SecurityWeek has more on this here: https://www.securityweek.com/npm-package-with-56000-downloads-steals-whatsapp-credentials-data/
CEO of DryRun Security, James Wickett had this to say:
“Backdoors don’t just happen to other people. They happen inside real organizations, often through code that looks legitimate at first glance. Sometimes it’s a malicious dependency, sometimes it’s copied or AI-generated code, and sometimes it’s an internal actor abusing trust. As development accelerates, security teams need visibility into what’s being added to the codebase and the ability to flag suspicious behavior early, so risky changes get reviewed before they turn into credential theft or persistent access in production.”
Developers need to make sure that the code that they use is secure. Otherwise they will get into a situation that isn’t good for them or the people who use their apps.
Share this:
Like this:
Related
This entry was posted on December 24, 2025 at 8:49 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.