543/68 Wednesday, December 24, 2025
Cybersecurity researchers have disclosed a new supply chain attack targeting software developers, involving malicious packages distributed through popular package repositories. One of the threats identified is a package named “lotusbail” on the npm repository, which has been downloaded more than 56,000 times since May 2025. While the package functions as a legitimate and usable WhatsApp API, it secretly contains a malicious WebSocket wrapper that intercepts chat messages, contact lists, and media files, and exfiltrates them to attacker-controlled servers. Particularly concerning is the malware’s ability to implant a persistent backdoor by covertly linking an attacker-controlled device to the victim’s WhatsApp account via the Device Linking feature, allowing continued access even after the developer removes the package from their environment.
At the same time, a similar campaign has been observed in the .NET ecosystem, where researchers identified 14 malicious NuGet packages designed to mimic popular libraries such as Nethereum, as well as packages related to cryptocurrency and Google Ads. These packages aim to steal private keys and monitor crypto transactions exceeding $100 USD, redirecting funds to attacker-controlled wallets. Additionally, analysis of the GoogleAds.API packages revealed code specifically written to extract sensitive secrets—including DeveloperToken, OAuth2ClientId, and OAuth2ClientSecret-and exfiltrate them. This enables attackers to fully compromise Google Ads accounts, launch fraudulent ad campaigns, or drain advertising budgets without restriction.
These two cases highlight the increasing sophistication of modern supply chain attacks. The attackers artificially inflate download counts and release frequent updates to build credibility, while also embedding anti-debugging mechanisms to hinder analysis by security researchers. The danger lies in the abuse of trust: standard static analysis tools may fail to detect malicious behavior because the code performs its advertised functionality correctly. Developers are therefore urged to exercise heightened caution when selecting third-party libraries and to regularly review connected devices and application permissions for critical accounts. Developers and administrators who may have used related libraries should inspect package.json or packages.config for suspicious package names and immediately review the Settings pages of WhatsApp and Google accounts to unlink any unknown devices or applications.
Source https://thehackernews.com/2025/12/fake-whatsapp-api-package-on-npm-steals.html
