Malicious npm Package “lotusbail” Discovered: WhatsApp Credential Theft and Backdoor Installation

Aegiron 9 mins0

Package Overview

AspectDetails
Package Namelotusbail
Package Registrynpm
Package TypeMalicious Library
Masquerade TargetWhatsApp Web API
Total Downloads56,000+
Discovery DateDecember 23, 2024
Threat SeverityCritical
Malware TypeInfostealer + Remote Access Trojan (RAT)
Installation Vectornpm install lotusbail
Primary TargetsWeb developers, automation projects, bot developers
Current StatusRemoved from npm registry

Threat Summary

The npm package lotusbail was discovered distributing malicious code while posing as a legitimate WhatsApp Web API library. Before being taken down, the package accumulated more than 56,000 installs, exposing developers and downstream users to credential theft, message interception, and long-term system compromise.

Once installed, the package silently harvested WhatsApp authentication data, intercepted live messages, exfiltrated contact information, and deployed a persistent backdoor that allowed remote command execution. Any organization or individual that installed this dependency must treat the incident as a full security compromise.

Malware Capabilities

WhatsApp Credential Harvesting

Compromised credentials allow attackers to:

  • Log in as the victim without detection
  • Access full message history and media
  • Send and receive messages impersonating the user
  • Maintain long-term access via saved session tokens

Message Interception

Injected logic enables real-time surveillance of WhatsApp Web traffic:

  • Capture incoming and outgoing messages
  • Read shared media and attachments
  • Record conversations live
  • Store communications for offline analysis

Contact and Metadata Harvesting

The malware extracts complete account metadata, including:

  • Phone numbers
  • Display names
  • Profile information
  • Group membership and organizational structure

Persistent Backdoor Deployment

A secondary payload establishes durable access:

  • Executes at application or system startup
  • Runs with application-level privileges
  • Maintains encrypted communication with attacker servers
  • Supports remote command execution

Technical Analysis

Distribution Method

The package was published through the official npm registry using a convincing name designed to blend in with legitimate WhatsApp tooling.

Installation command:

npm install lotusbail

Attack Chain

  1. Installation
    The package is added as a dependency via npm install or package.json.
  2. Initialization
    Malicious code executes during installation or application startup via npm lifecycle scripts or require() hooks.
  3. Credential Extraction
    WhatsApp Web session data and authentication tokens are accessed from storage locations.
  4. Data Exfiltration
    Stolen data is sent to attacker-controlled infrastructure over encrypted channels.
  5. Persistence
    Backdoor components ensure continued access across restarts and deployments.

Infection Mechanisms

  • npm Script Abuse
    Arbitrary code execution via install scripts in package.json.
  • Module Import Poisoning
    Malicious logic runs before expected library functionality.
  • Session Hijacking
    Access to browser local storage and cached WhatsApp sessions.
  • Network Interception
    MITM-style interception of WhatsApp Web API calls.

Indicators of Compromise (IOCs)

File & Directory IOCs

node_modules/lotusbail/
~/.npm/_cacache/*lotusbail*
~/.node-gyp/*lotusbail*
~/.nvm/*lotusbail*
/usr/local/lib/node_modules/lotusbail/

Process & Behavior IOCs

  • Node.js processes spawning unexpected child processes
  • File modifications outside project directories
  • Access to browser storage or cached WhatsApp session data
  • Registry modifications on Windows systems

Network IOCs (Behavioral)

  • Outbound HTTPS traffic to non-WhatsApp, non-npm domains
  • Repeated encrypted POST requests with structured payloads
  • DNS lookups for recently registered or low-reputation domains
  • Persistent command-and-control beaconing

Note: Exact domains and IPs may vary; behavioral detection is strongly recommended.

Impact Assessment

Affected Population

  • 56,000+ developers with direct installations
  • Potentially millions of end users via affected applications
  • WhatsApp accounts used for business, automation, or support
  • Contacts and group members of compromised accounts

Business Impact

  • Theft of sensitive communications
  • Account takeover of business WhatsApp instances
  • Loss of customer trust and reputational damage
  • Possible regulatory violations due to data exposure

Data Exposure Scope

  • WhatsApp credentials and session tokens
  • Complete message history
  • Contact lists and profile metadata
  • Shared media files
  • Organizational relationships inferred from group data

Detection Methods

Dependency Review

npm list
npm ls --depth=0

Check package.json:

{
  "dependencies": {
    "lotusbail": "*"
  }
}

Registry Inspection

npm view lotusbail
npm view lotusbail versions

Verify publisher history, repository links, and modification timelines.

File System Checks

find node_modules -name "lotusbail"
find ~/.npm -name "*lotusbail*"
find ~/.node-gyp -name "*lotusbail*"

Network & Process Monitoring

  • Unexpected outbound connections
  • Suspicious Node.js child processes
  • Credential access attempts
  • Unauthorized file system changes

Remediation Procedures

Immediate Containment

1. Remove the Package

npm uninstall lotusbail
npm prune

2. Clean Reinstallation

rm -rf node_modules package-lock.json
npm install

3. Credential Rotation

  • Reset WhatsApp passwords
  • Log out of all WhatsApp Web sessions
  • Rotate API keys and database credentials

Verification Steps

npm list lotusbail

Search source code:

grep -r "lotusbail" .

Review WhatsApp activity:

  • Active sessions
  • Message history
  • Contact list changes

Account Security Actions

If compromise is suspected:

  • Change WhatsApp credentials
  • Enable two-factor authentication
  • Log out of all devices
  • Notify affected contacts
  • Review group memberships

Prevention & Hardening

Dependency Security

  • Vet maintainers and repositories
  • Pin versions explicitly
  • Use allowlists for approved packages
{
  "dependencies": {
    "legitimate-package": "1.2.3"
  }
}

Tooling & Automation

npm audit
npm audit fix

Integrate:

  • GitHub Dependabot
  • CI/CD dependency scanning
  • Deployment blocking on critical findings

Environment Hardening

  • Keep Node.js up to date
  • Avoid eval() and dynamic execution
  • Enforce strict runtime policies
{
  "engines": {
    "node": ">=18.0.0"
  }
}

Relevant CWE & OWASP Mappings

  • CWE-506 – Embedded Malicious Code
  • CWE-494 – Download of Code Without Integrity Check
  • OWASP A06:2021 – Vulnerable and Outdated Components
  • OWASP A08:2021 – Software and Data Integrity Failures

Historical Context: npm Supply Chain Attacks

Previous incidents demonstrate a persistent ecosystem risk:

  • event-stream (2018) – Crypto-related backdoor
  • ua-parser-js (2021) – Credential-stealing malware
  • eslint-scope (2018) – npm credential theft
  • crossenv (2017) – Typosquatting attack

Conclusion

The lotusbail incident is a clear example of a modern software supply-chain attack leveraging trust in open-source ecosystems. By impersonating legitimate WhatsApp tooling, the package achieved wide distribution and deep access to sensitive communications.

Immediate removal, credential rotation, and environment review are mandatory for affected users. Long-term mitigation requires stricter dependency governance, automated scanning, and improved publisher verification across the npm ecosystem.

Organizations that treat dependency security as a first-class concern significantly reduce their exposure to attacks of this nature.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.