The use of a malicious variant of the device pairing process is one of the latest risks to WhatsApp Web users, according to the company Koi Security, which is responsible for identifying a malicious package in the Node Package Manager (npm) system. According to this group of experts, the compromised package has already been downloaded 56,000 times, allowing attackers to link a new device to their victims’ WhatsApp account and thereby gain full access without them being aware of the breach. The discovery was reported after it was discovered that the malware under the name “lotusbail” was masquerading as a legitimate WhatsApp Web API library.
The media company stated that npm is a package manager commonly used by JavaScript developers to integrate additional functionality into their projects. This system managed to distribute the fraudulent package with an appearance of legitimacy, as it was a fork of the original WhiskeySockets Baileys project. This tool rightly allows you to create bots or automate actions in the web version of WhatsApp, thus attracting developers interested in these functionalities. However, the “lotusbail” package contains malicious code that can intercept messages, multimedia files, contacts and passwords.
According to the description of the experts cited, the software manipulates the data traffic of the “WebSocket” client, an important tool for communication between WhatsApp Web and users. When a person authenticates, the system automatically captures their credentials. Additionally, the application allows attackers to read all incoming and outgoing messages as soon as they receive a copy without affecting the original functionality. As Koi Security noted, “Legit functionality continues to function normally; malware simply adds a second receiver for everything.”
The malicious package also features a custom RSA encryption mechanism that ensures that intercepted data, including messages and files such as photos, videos or audio, leave the encrypted devices, making it difficult to detect by traditional network monitoring, the report said. The strategy involves covert exfiltration of sensitive information and the ability for attackers to remotely control victims’ accounts.
Another notable ability of “lotusbail” lies in manipulating the internal device pairing process in WhatsApp Web. The code asks users to generate a random eight-digit string, which is then entered into a new device. This code allows the attacker to link his own terminal to the victim’s account and thus maintain secret access even after the malicious package has been uninstalled, as the link is not automatically unlinked.
The aforementioned media outlets reported that this package remained active for about six months before it was discovered. Experts recommend that developers deploying NPM packages pay close attention to how the platform behaves in real time and look for signs of unexpected activity. Koi Security emphasized the importance of carefully analyzing the devices linked to the WhatsApp account, since only by unlinking these unknown devices in the Settings section of the application can the access of external actors be completely revoked.
Finally, the research suggests that simply removing or uninstalling the risky npm package deletes the malicious code from the development environment, but does not break the pairing previously established between the user’s WhatsApp account and the attacker’s device. Therefore, it is recommended to perform both actions: remove the package and manually check the associated devices to prevent unauthorized access.
About The Author
