Why this WhatsApp integration quietly stole accounts

For most developers, broken code raises alarms. This time, the danger came from code that worked exactly as promised.

A malicious npm package called lotusbail presented itself as a fully functional WhatsApp Web API. It sent messages, received replies, passed tests, and made it into production environments. Behind that clean surface, it quietly intercepted conversations, harvested contacts, and hijacked WhatsApp accounts.

Cybersecurity researchers at Koi Security revealed that the package had already crossed 56,000 downloads, with hundreds more installs happening just days before discovery. The library had been live for six months. During that time, it behaved like a trusted tool while operating as a surveillance pipeline.

This was not a bug. It was the design.

Why this attack was different

Most malicious packages fail quickly. They crash apps, raise red flags, or behave strangely during testing. Lotusbail did the opposite.

It worked.

The package was built as a fork of @whiskeysockets/baileys, a legitimate and widely used TypeScript library for interacting with the WhatsApp Web API. By cloning real functionality, the attacker avoided suspicion. Developers installed it, tested it, and moved on.

That functionality became the camouflage. Every message sent or received passed through a malicious WebSocket wrapper. Authentication tokens, session keys, contact lists, media files, and message histories were duplicated silently and prepared for exfiltration.

No extra permissions. No suspicious API calls. Just normal usage.

How messages were intercepted in plain sight

The interception happened at the WebSocket level, where WhatsApp communication flows during authentication and message exchange.

When developers connected their applications using lotusbail, the wrapper captured credentials at login and intercepted messages in real time. The stolen data was then encrypted using a custom RSA implementation before being sent to an attacker-controlled server. This extra encryption layer was not protecting users. WhatsApp already encrypts messages end to end. The added cryptography existed only to hide stolen data from network monitoring tools.

To further obscure activity, the malware used multiple layers of obfuscation, including Unicode manipulation, compression, Base-91 encoding, and AES encryption. Everything looked normal. Nothing sounded alarms.

The backdoor that outlived uninstalling

The most damaging part of the attack was not data theft. It was persistence. Lotusbail hijacked WhatsApp’s device pairing process using a hard-coded pairing code. When developers authenticated their app, they unknowingly linked the attacker’s device to their WhatsApp account.

This meant full access to messages and contacts even after the malicious package was removed. As long as the attacker’s device remained linked, access continued. The only fix was manual removal through WhatsApp’s linked devices settings. Most victims had no idea anything was wrong.

Built to resist analysis

Lotusbail was engineered to survive scrutiny. The package included 27 infinite loop traps designed to activate when debugging tools were detected. Once triggered, the code would freeze execution, making runtime analysis painful and time-consuming.

Static analysis tools failed because the codebase looked legitimate. Reputation systems trusted the package because of its high download count. Automated checks approved it because it behaved exactly like working WhatsApp code. This is the blind spot modern supply chain attacks exploit.

A pattern bigger than WhatsApp

The WhatsApp attack did not exist in isolation. Around the same time, researchers uncovered 14 malicious NuGet packages impersonating popular cryptocurrency and developer libraries. Some redirected crypto transactions. Others stole private keys, seed phrases, or OAuth credentials tied to Google Ads accounts.

In each case, attackers inflated download counts, released frequent updates, and mimicked trusted package names to build credibility. The lesson was consistent. Trust signals can be manufactured.

Related Article: WhatsApp in Russia A digital privacy battle under siege

What this incident exposes

Lotusbail highlights a shift in how software supply chain attacks operate. Attackers no longer rely on broken code or obvious exploits. They rely on trust, working features, familiar libraries, and developer habits.

As Koi Security noted, traditional defenses failed because nothing looked wrong. The code worked. The API responded. The app shipped. The malicious behavior lived in the gap between "this code functions" and "this code does only what it claims." That gap is getting wider.

The takeaway for developers

This incident forces a hard truth into the open. Source code review alone is no longer enough. Popularity is not proof of safety. Functionality is not a guarantee of intent. When a WhatsApp API can spy on conversations while doing its job perfectly, the definition of a security warning changes.

The next supply chain attack may not break your app. It may quietly become part of it.