“LotusBail” Trap: 56,000 Developers Downloaded a Fake WhatsApp API That Works perfectly—While Stealing Everything

A new investigation by Koi Security has exposed a highly sophisticated supply chain attack lurking in the npm registry. For six months, a package named lotusbail masqueraded as a legitimate WhatsApp Web API library, fooling over 56,000 developers into integrating it into their projects.

The package, a fork of the legitimate and popular @whiskeysockets/baileys library, did exactly what it promised on the surface: it allowed developers to build WhatsApp bots and integrations. But beneath its functional exterior lay a catastrophic payload.

The genius of lotusbail was its competency. Unlike low-effort malware that often breaks the application it infects, this package worked flawlessly. Developers who installed it saw their WhatsApp integrations function as expected, giving them no reason to suspect foul play.

“The package has been available on npm for 6 months and is still live at the time of writing,” the report notes, highlighting the terrifying longevity of the campaign.

However, while the application was sending messages for the user, it was also sending secrets to the attackers. The report describes the payload as “sophisticated malware that steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor’s server”.

What sets lotusbail apart is the level of engineering discipline behind the attack. The malware authors didn’t just write malicious code; they protected it with the rigor of a commercial software vendor.

The analysis revealed 27 infinite loop traps designed to freeze the computers of security researchers attempting to debug the code. These traps inspect process arguments and detect sandbox environments to prevent analysis.

In a twist of dark irony, the attackers strictly adhered to coding best practices. “They also left helpful comments in their code marking the malicious sections – professional development practices applied to supply chain attacks. Someone probably has a Jira board for this,” the researchers observed.

Perhaps the most dangerous aspect of lotusbail is its tenacity. Simply uninstalling the infected package does not clean the system. The malware installs a persistent backdoor that survives the deletion of the original file.

As the report grimly states: “Even after the package is gone, they still have access”.

This incident exposes a critical flaw in modern development workflows. Reputation systems and static analysis tools often give a pass to packages that appear popular and functional. With 56,000 downloads, lotusbail looked trusted to automated scanners.

“The malware hides in the gap between ‘this code works’ and ‘this code only does what it claims,'” Koi Security concluded.

Related Posts:

• Homeland Security finds cell phone spy equipment in Washington
• “Webrat” Trap: Hackers Lure Junior Security Researchers with Fake GitHub Exploits
• GlassWorm Supply Chain Worm Uses Invisible Unicode and Solana Blockchain for Stealth C2
• North Korean Hackers Deploy RustDoor and Koi Stealer to Target Cryptocurrency Developers on macOS