The I'm eager to get the most out of WhatsApp with extra features. This continues to lead many users and developers to download tools from outside official channels. The problem is that, in this gray area of unverified libraries and modified apps, increasingly sophisticated threats are slipping through, capable of stealing messages, contacts, and even personal documents without raising suspicion.
The most recent example is a WhatsApp malware that masquerades as a legitimate library in the npm (Node Package Manager) repository. Under a fully functional guise, this package has managed to link attackers' devices to other people's WhatsApp accounts, copy entire chat histories, and extract files and credentials, potentially affecting users in Spain, Europe, and the rest of the world.
A fake WhatsApp Web package sneaks onto npm
The campaign was identified by researchers from Koi Security, who detected a package published on npm and presented as API or library to automate WhatsApp WebUnder names like "Iotusbail" or "lotusbail"The code was disguised as a fork of the well-known project WhiskeySockets Baileys, widely used by developers to create bots, integrations and automation tools with the WhatsApp web protocol.
On paper, the bookstore seemed legitimate: It allowed you to connect to WhatsApp Web, send and receive messages and manage sessions similarly to the genuine version. This appearance of normality led thousands of developers to integrate it into their projects without suspecting that, in the background, it was intercepting all the traffic passing through the connection.
According to Koi Security's analysis, the malicious package the legitimate WebSocket client was involved used to communicate with WhatsApp servers. In this way, each message, file, or authentication data that circulated through the application first passed through the malware container, which copied it and sent it encrypted to a server controlled by the attackers.
The threat is not an isolated case: it is part of a growing trend of attacks on the software supply chainwhere cybercriminals infiltrate public repositories by taking advantage of the trust generated by projects with many downloads and names similar to those of popular tools.
What data does malware steal on WhatsApp?
The behavior of the malicious package is especially worrying because of the volume and sensitivity of the information that it manages to extract and the possibility of trafficking in our private data.
- Complete contact lists stored in the WhatsApp account.
- Multimedia files shared in chats: photos, videos, and voice notes.
- Documents sent or received through the app.
- Authentication tokens and session keys used to initiate and maintain the connection.
- Credentials and login details associated with the WhatsApp Web account.
In practice, this means that attackers can replicate the victim's activity almost in real time: reading conversations, downloading files, tracking new device connections and even preparing other frauds (such as impersonating contacts in work or family environments, something very sensitive in Europe, where WhatsApp is used massively in companies and administrations).
Experts also point out that the malware incorporates custom encryption mechanisms, such as the use of RSA, to make data exfiltration go undetected by traditional monitoring tools and security solutions. In addition, anti-purge features create infinite loops when advanced analysis is detected, further complicating the investigators' task. Learn more about the Latest cybersecurity news It helps to contextualize these methods.
Another key aspect is its persistenceEven if the developer or user removes the npm package from the project or system, the WhatsApp account may still be compromisedThe reason is that, during the authentication process, the malicious library silently links a device controlled by the attacker as if it were a valid complementary device, as allowed by WhatsApp's multi-device function.
How the attacker's device is linked to your account
The most critical aspect of the attack lies in how the package exploits WhatsApp Web's own functionality. When a developer uses the library to connect their application to the service, the malware introduce your own WebSocket container that oversees the pairing process.
At that moment, The code captures the authentication token, session keys, and pairing code. generated for login. With that information, the backdoor proceeds to automatically link a device controlled by attackers to the target account, as if it were an additional authorized computer, tablet, or browser.
The worrying thing is that this The process does not require any extra action from the user Beyond simply using the seemingly legitimate API, everything appears to be working normally for the developer. However, in the background, attackers already have persistent access that remains even if the npm package is deleted or the tool that integrated it is uninstalled.
Just a manual review of the section of “Linked devices” in the WhatsApp app It allows you to detect and revoke these hidden accesses. Until these suspicious devices are disconnected, the attacker retains full visibility over the messages and data associated with the account.
Impact on developers, companies and users in Europe
Although the initial focus of the attack is on the developer community that uses npm, the risk has a clear domino effect on end users and organizationsMany projects that integrate libraries like Baileys are used in business environments to manage customer service, notification systems, or automated responses via WhatsApp.
If a developer in Spain or any other European Union country unknowingly incorporates a malicious fork such as Iotusbail or lotusbail, not only compromises your own accountbut also those of customers or users who interact with that integration. In the European context, where the General Data Protection Regulation (GDPR) applies, this type of leak can lead to serious privacy breaches and in penalties if they are not managed correctly.
Furthermore, the reliance on WhatsApp as the official communication channel in SMEs, local businesses, and even public administrations in Spain means that Any attack on this platform has a potentially broad impact.From the theft of customer contacts to the theft of shared documents (invoices, quotes, reports, etc.), the damage is not only individual, but also business-related.
The researchers emphasize that the malicious package was available on npm during around six months, accumulating more than 56.000 downloadsThat figure, although it does not indicate how many accounts were ultimately compromised, gives an idea of the reach that an attack of this type can have when it infiltrates an infrastructure so widely used by developers worldwide.
How to tell if your WhatsApp account has been compromised
To detect in time if someone has succeeded linking an unauthorized device Accessing your WhatsApp account is essential to blocking unauthorized users. The service itself offers a relatively simple way to check this, although many users overlook it.
To check for intruders In your account, you can follow these steps recommended by security experts:
- Opens WhatsApp on your mobile (Android or iPhone).
- Access the menu "Settings" or tap the three-dot icon in the top corner.
- Enter the section “Linked devices”.
- Check each device on the list one by one and verify that you recognize all access points.
- If you see any device, session, or location that seems unfamiliar, log out immediately.
After performing this check, it is advisable to go a little further: Change your Google or Apple account password associated with the mobile phone, activate the two step verification on WhatsApp and check if there has been any unusual activity on other services where you use the same device.
In the case of developers who have installed or used unofficial libraries, it is also advisable audit the project codeRemove suspicious dependencies and, if necessary, regenerate API keys and credentials associated with integrations with clients or suppliers.
Why do we keep falling for WhatsApp malware?
This campaign highlights a pattern that repeats itself time and time again: the appeal of extra features and customization It outweighs prudence. Many users are looking for modified versions of WhatsApp, bots, automations or special tools that promise to "go one step further" than the original app, without paying much attention to the origin of the software.
In this specific case, the malware does not directly exploit a technical vulnerability in WhatsApp, but rather a human and process weaknessTrusting a third-party library simply because it seems useful and has a high number of downloads is a mistake. The same applies to apps downloaded from outside of Google Play, the App Store, or official developer websites.
Attackers are aware of this reality and design their campaigns so that the malicious tools are fully functionalIn other words, they do what they promise (allow bots, automate messages, personalize the experience…), but they add a hidden layer of code that silently steals data. Thus, The user has no apparent reason to distrust.because the tool "works".
This approach is gaining particular relevance in Europe and Spain, where WhatsApp adoption is massive across all age groups. The combination of high usage, trust in the platform, and little culture of technical review Third-party tools are the perfect breeding ground for these types of threats.
Best practices to prevent malware from stealing your files and contacts
Reducing risk doesn't require being a cybersecurity expert, but it does require adopting a series of basic and consistent habitsIn light of what happened with this malicious package in npm, security specialists recommend taking several guidelines into account.
- Install apps only from official storesFor mobile devices, use the Google Play Store, App Store, or other verified sources; for developer tools, download from the project's official repositories and review its documentation.
- Be wary of "extra" or unofficial featuresPromises of extreme customizations, highly aggressive automations, or unprecedented access to internal WhatsApp functions are often the gateway for malware.
- Keep your system and apps up to dateBoth the mobile operating system and WhatsApp and other applications must be up to date to reduce known vulnerabilities.
- Turn on XNUMX-Step Verification on WhatsApp and associated accounts (Google, Apple, email) to complicate unauthorized access even if passwords or tokens are leaked.
- Perform encrypted backups of the most sensitive chats and files, storing them on trusted services, so that a possible infection does not imply the total loss of information.
- Consult reliable sources before installing a new tool: reviewing opinions, security reports and, in the case of Europe, recommendations from organizations and agencies specializing in cybersecurity.
For developers, the list expands with the need for Audit dependencies, avoid packages from unknown authorsReview suspicious name changes and monitor the runtime behavior of libraries that handle sensitive data or user credentials.
What happened with this WhatsApp malware that steals files, contacts, and credentials This demonstrates the extent to which a simple download can open the door to a massive leak of personal and professional information. A seemingly innocuous npm package has been enough to link attackers' devices, monitor conversations, and continuously extract data, jeopardizing both individual users and companies in Spain and the rest of Europe. Faced with an increasingly exposed digital landscape, the combination of caution, constant updates, and regular review of devices linked to an account has become the best defense for maintaining privacy on WhatsApp.
