Malicious npm Package 'lotusbail' Hijacked WhatsApp Accounts for Six Months

A malicious npm package masquerading as a WhatsApp Web API library has been stealing user credentials and hijacking accounts since May 2025. The package, named "lotusbail," accumulated over 56,000 downloads before researchers at Koi Security exposed it this week.

What makes this attack particularly nasty: the code actually works. It delivers the promised WhatsApp API functionality while simultaneously exfiltrating everything it touches.

How the Attack Operates

The lotusbail package presents itself as a wrapper for WhatsApp Web functionality, built on the legitimate Baileys library. Developers integrating WhatsApp messaging into their applications would find it functions exactly as documented—messages send, contacts sync, and the API responds correctly.

Behind that working facade, the malware:

• Steals authentication tokens and session keys during the WhatsApp login flow
• Intercepts all messages, both sent and received
• Exfiltrates contact lists, media files, and documents
• Links the attacker's device to the victim's WhatsApp account through the device pairing process

That last capability is the most dangerous. Device pairing gives attackers persistent access to the victim's account even after the malicious package is removed. The attacker's linked device continues receiving messages until the victim manually revokes it in WhatsApp settings.

Most developers who used lotusbail have no idea they need to check for rogue linked devices. The malware cleanup stops at removing the package, leaving the backdoor open.

Anti-Detection Techniques

The package author invested significant effort in avoiding detection. According to Koi Security, lotusbail includes:

• Custom RSA encryption for data exfiltration—unnecessary since WhatsApp already handles end-to-end encryption. The custom crypto exists solely to encrypt stolen data before transmission, evading network monitoring
• 27 infinite loop traps designed to frustrate debugging and analysis
• Legitimate-looking code structure that passes casual review

The combination of actually working as a WhatsApp library plus active anti-analysis measures explains how lotusbail survived on npm for six months. Automated scanning looks for obviously malicious patterns. This package delivered real functionality while hiding its payload behind encrypted exfiltration and debugging countermeasures.

Who Is Affected

Any developer or application that integrated lotusbail is potentially compromised. This includes:

• Direct npm users who installed the package for their own projects
• Downstream dependencies if lotusbail was included in other packages
• End users of applications built with the malicious library

The 56,000 download count doesn't directly translate to compromised accounts—some downloads come from mirrors, CI/CD systems, and automated processes. But the real victim count is likely in the thousands or tens of thousands.

Organizations using lotusbail in production applications face a particularly difficult situation. They need to audit which user sessions touched the malicious code and advise those users to check for unauthorized linked devices.

Remediation Steps

If you or your organization used lotusbail:

1. Remove the package immediately from all projects and lock files
2. Rotate any credentials that may have been exposed during WhatsApp authentication flows
3. Check linked devices in WhatsApp settings and remove any you don't recognize
4. Audit logs for unusual outbound connections during authentication
5. Notify affected users if you deployed an application using this library

The linked device check is critical. Simply removing lotusbail doesn't revoke the attacker's access—that requires manual intervention in WhatsApp.

The Broader Supply Chain Problem

This attack follows a familiar pattern: malicious packages that deliver promised functionality while secretly exfiltrating data. npm has seen hundreds of similar incidents, from typosquatting attacks to outright malware like lotusbail.

The JavaScript ecosystem's dependency culture creates massive attack surface. A single popular package can reach millions of developers. A convincing-looking library with actual working code can persist for months before anyone notices the hidden payload.

Koi Security's Tuval Admoni emphasized that source code review isn't enough. "Looking at source code to find the malicious lines isn't sufficient," he noted. Developers should monitor runtime behavior for unexpected outbound connections, especially during authentication flows with new dependencies.

Static analysis misses runtime-only malicious behavior. Network monitoring catches exfiltration but requires active attention. The six-month window before lotusbail's discovery shows how inadequate current practices are.

What npm Is Doing

npm has removed the lotusbail package and the account "seiren_primrose" that published it. The registry's security team continues to scan for similar packages that may be related.

But reactive removal after 56,000 downloads isn't exactly a success story. The attacker achieved their objective—months of credential theft and persistent account access—before the operation was exposed.

Supply chain security remains an unsolved problem for package registries. The tension between open access and security review hasn't been resolved, and attacks like lotusbail demonstrate the ongoing cost of that tradeoff.