Malicious 'lotusbail' npm Package Compromises WhatsApp Accounts with 56,000+ Downloads

A malicious package named 'lotusbail' has been identified on the npm registry, posing as a legitimate WhatsApp API interface. This package, published under an unspecified username, has been downloaded over 56,000 times since its upload. The malware operates by intercepting all sent and received WhatsApp messages, exfiltrating contact lists, and stealing session tokens to bind victims' WhatsApp accounts to attacker-controlled devices. This enables complete compromise of communications and unauthorized account access. The lack of specific publication date and author details complicates attribution efforts. This incident highlights critical risks in open-source supply chains, where malicious packages can be distributed through trusted repositories. Developers and organizations should immediately audit their dependencies for this package, implement rigorous package vetting processes, and consider runtime integrity checks. The high download count suggests potential widespread impact across numerous applications and user accounts. The theft of session tokens is particularly concerning as it allows persistent access even after password changes. This attack underscores the need for enhanced security measures in package management, including automated vulnerability scanning and dependency monitoring.