Cybersecurity experts warned that users of the Node Package Manager (NPM) registration form were being targeted by malicious software that would hijack the user ‘ s WhatsApp account and steal all messages and address records.
The Cybersecurity Research Institute Koi Security has recently discovered a malicious fork version called ‘lotusbail’, which clones the popular open-source project WhiskeySockets/Baileys. The original project was a library based on TypeScript/JavaScript, which provided a function to interact through WebSocket API with the WhatsApp Web protocol, allowing developers to program applications as partner devices to the WhatsApp. This malicious version has all the legal functions of the original project, but it is also embedded in the stolen replacement code. It steals user’s WhatsApp identification badges and session keys. In addition, all messages are intercepted and recorded and contact lists, media files and all other documents are uploaded to third-party servers. In its report, Koi Security stated: “The malicious software packaged a legitimate WebSocket client who communicated with WhatsApp. Every message that flows through a user application goes through this malicious containment. When a user performs authentication, it captures a user certificate; when a message is received or sent, it intercepts and records.”
Perhaps most worrying, however, is the fact that the package will use the equipment matching function of the WhatsApp to bind the aggressor ‘ s equipment to the victim ‘ s WhatsApp account. This means that even if the victims remove the malicious NPM package, their WhatsApp accounts will remain controlled until they manually unlink the device. The malicious software was kept on NPM for at least six months, during which time more than 56,000 downloads were obtained.
NPM is one of the world ‘ s most popular online registration forms for bulletins and hosts the JavaScript software package, which is available through NPM. It allows developers to identify, download and manage open source and private software packages for the Node.js and JavaScript projects. That is why it also continues to be subjected to various forms of fraud and hacker attacks, ranging from fork projects to counterfeit spellings. To ensure security, the experts recommended that developers should be particularly careful when downloading and running any software package, even for projects with thousands of downloads.