NPM Package with 56K Downloads Caught Stealing WhatsApp Messages
118 comments
·December 22, 2025tekacs
Just to talk about a different direction here for a second:
Something that I find to be a frustrating side effect of malware issues like this is that it seems to result in well-intentioned security teams locking down the data in apps.
The justification is quite plausible -- in this case WhatsApp messages were being stolen! But the thing is... that if this isn't what they steal they'll steal something else.
Meanwhile locking down those apps so the only apps with a certain signature can read from your WhatsApp means that if you want to back up your messages or read them for any legitimate purpose you're now SOL, or reliant on a usually slow, non-automatable UI-only flow.
I'm glad that modern computers are more secure than they have been, but I think that defense in depth by locking down everything and creating more silos is a problem of its own.
nicoburns
I'm pretty sure WhatsApp does this for anti-competitive reasons not security reasons.
__jonas
I agree with this, just to note for context though: This (or rather the package that was forked) is not a wrapper of any official WhatsApp API or anything like that, it poses as a WhatsApp client (WhatsApp Web), which the author reverse engineered the protocol of.
So users go through the same steps as if they were connecting another client to their WhatsApp account, and the client gets full access to all data of course.
From what I understand WhatsApp is already fairly locked down, so people had to resort to this sort of thing – if WA had actually offered this data via a proper API with granular permissions, there might have been a lower chance of this happening.
vlovich123
The OS should be mediating such access where it explicitly asks your permission for an app to access data belonging to another publisher.
Gigachad
MacOS does this. It has a popup to grant access to folders like documents.
tekacs
I could certainly see the value in this in principle but sadly the labyrinthine mess that is the Apple permission system (in which they learned none of the lessons of early UAC) illustrates the kind of result that seems to arise from this.
A great microcosm illustration of this is automation permission on macOS right now: there's a separate allow dialog for every single app. If you try to use a general purpose automation app it needs to request permission for every single app on your computer individually the first time you use it. Having experienced that in practice it... absolutely sucks.
At this point it makes me feel like we need something like an async audit API. Maybe the OS just tracks and logs all of your apps' activity and then:
1) You can view it of course.
2) The OS monitors for deviations from expected patterns for that app globally (kinda like Microsoft's SmartScreen?)
3) Your own apps can get permission to read this audit log if you want to analyze it your own way and/or be more secure. If you're more paranoid maybe you could use a variant that kills an app in a hurry if it's misbehaving.
Sadly you can't even implement this as a third party thing on macOS at this point because the security model prohibits you from monitoring other apps. You can't even do it with the user's permission because tracing apps requires you to turn SIP off.
FridgeSeal
> Maybe the OS just tracks and logs all of your apps' activity
The problem here, is that like so many social-media apps, the first thing the app will do is scrape as much as it possibly can from the device, lest it lose access later, at which point auditing it and restricting its permissions is already too late.
Give an inch, and they’ll take a mile. Better to make them justify every millimetre instead.
bhhaskin
This sounds great on paper, but what happens when the OS isn't working for the user like Windows?
hamandcheese
Switch OS.
pixl97
I mean this was an app for accessing WhatsApp data, you would approve it and go on... the problem is with it sending data off to a 3rd party.
iwontberude
Windows is dead
hmokiguess
xkcd covers this really well: https://xkcd.com/2044/
userbinator
Meanwhile locking down those apps so the only apps with a certain signature can read from your WhatsApp means that if you want to back up your messages or read them for any legitimate purpose you're now SOL, or reliant on a usually slow, non-automatable UI-only flow.
...and this gives them more control, so they can profit from it. Corporate greed knows no bounds.
I'm glad that modern computers are more secure than they have been
I'm not. Back when malware was more prevalent among the lower class, there was also far more freedom and interoperability.
blell
I imagine the average HN commenter seeing every new story being posted and thinking "how could I criticise big tech using this"
there_is_try
I don't really know what I'm doing, but. Why couldn't messages be stored encrypted on a blockchain with a system where both user's in a one-one conversation agree to a key, or have their own keys, that grants permission for 'their' messages. And then you'd never be locked into a private software / private database / private protocol. You could read your messages at any point with your key.
cxr
At this point, the existence of these attacks should be an expected outcome. (It should have been expected even without the empirical record we now have and the multiple times that we can now cite.)
NPM and NPM-style package managers that are designed to late-fetch dependencies just before build-time are already fundamentally broken. They're an end-run around the underlying version control system, all in favor of an ill-considered, half-baked scheme to implement an alternative approach to version control of the package manager project maintainers' devising.
And they provide cover for attacks like this, because they encourage a culture where, because one's dependencies are all "over there", the massive surface area gets swept under the rug and they never get reviewed (because 56K NPM users can't be wrong).
stefan_bobev
I am slowly waking up to the realization that we (software engineers) are laughably bad at security. I used to think that it was only NPM (I have worked a lot in this ecosystem over the years), but I have found this to be essentially everywhere: NPM is a poster child for this because of executable scripts on install, but every package manager essentially boils down to "Install this thing by name, no security checks". Every ecosystem I touch now (apart from gamedev, but only because I roll everything myself there by choice) has this - e.g Cargo has a lot of "tools" that you install globally so that you get some capability (like flamegraphs, asm output, test runners etc.) - this is the same vulnerability, manifesting slightly differently. Like others have pointed out, it is common to just pull random Docker images via Helm charts. It is also common to get random "utility" tools during builds in CI/CD pipelines, just by curl-ing random URLs of various "release archives". You don't even have to look too hard - this is surface level in pretty much every company, almost every industry (I have my doubts about the security theatre in some, but I have no first hand experience, so cannot say)
The issue I have is that I don't really have a good idea for a solution to this problem - on one hand, I don't expect everyone to roll the entire modern stacks by hand every time. Killing collaborative software development seems like literally throwing the baby out with the bath water. On the other hand, I feel like nothing I touch is "secure" in any real sense - the tick boxes are there, and they are all checked, but I don't think a single one of them really protects me against anything - most of the time, the monster is already inside the house.
Muromec
>The issue I have is that I don't really have a good idea for a solution to this problem - on one hand, I don't expect everyone to roll the entire modern stacks by hand every time. Killing collaborative software development seems like literally throwing the baby out with the bath water.
Is NPM really collaborative? People just throw stuff out there and you can pick it up. It's the least commons denominator of collaboration.
The thing that NPM is missing is trust and trust doesn't scale to 1000x dependencies.
Cyph0n
I think the solution is a build system that requires version pinning - options include Nix, Bazel, and Buck.
stefan_bobev
I am a big fan of Bazel and have explored Nix (although, regrettably not used it in anger quite yet) - both seem like good steps in the right direction and something I would love to see more usage/evolution of. However, it is important to recognize that these tools have a steep learning curve and require deep knowledge in more than one aspect in order to be used effectively/at all.
Speed of development and development experience are not metrics to be minimized/discarded lightly. If you were to start a company/product/project tomorrow, a lot of the things you want to be doing in the beginning are not related to these tools. You probably, most of the time, want to be exploring your solution space. Creating a development and CI/CD environment that can fully take advantage of these tools capabilities (like hermeticity and reproducibility) is not straightforward - in most cases setting up, scaling and maintaining these often requires a whole team with knowledge that most developers won't have. You don't want to gatekeep the writing of new software behind such requirements. But I do agree that the default should be closer to this, than what we have today. How we get there - now that is the million dollar question.
montroser
I agree with much of what you said here, but is it really just about the package manager? If I had specified this repo's git url with a specific version number or sha directly in my package.json, the outcome would be just about the same. And so that's not really an end-run around version control at that point. Even with npm out of the picture the problem is still there.
Gigachad
The root problem is the OS allows npm packages to grab your WhatsApp messages without the user knowing.
josephg
> They're an end-run around the underlying version control system
I assume by "underlying version control system" you mean apt, rpm, homebrew and friends? They don't solve this problem either. Nobody in the opensource world is auditing code for you. Compromised xz still made it into apt. Who knows how many other packages are compromised in a similar way?
Also, apt and friends don't solve the problem that npm, cargo, pip and so on solve. I'm writing some software. I want to depend on some package X at version Y (eg numpy, serde, react, whatever). I want to use that package, at that version, on all supported platforms. Debian. Ubuntu. Redhat. MacOS. And so on. Try and do that using the system package manager and you're in a world of hurt. "Oh, your system only has official packages for SDL2, not SDL3. Maybe move your entire computer to an unustable branch of ubuntu to fix it?" / "Yeah, we don't have that python package in homebrew. Maybe you could add it and maintain it yourself?" / "New ticket: I'm trying to run your software in gentoo, but it only has an earlier version of dependency Y."
Hell. Utter hell.
__MatrixMan__
...unless your system package manager is nix.
bix6
What is so special about nix that it avoids all these issues?
WD-42
I think you missed the mark a bit here. This wasn’t a dependency that was compromised, it was a dep that was malicious from the start. Package manager doesn’t really play into this. Even if this package was vendored the outcome would have been the same.
cromka
No, package manager actually DOES play into this. Or, rather, the way best practices it enforces do. I would be seriously surprised if debian shipped malware, because the package manager is configured with debian repos by default and you know you can trust these to have a very strict oversight.
If apt's DNA was to download package binaries straight from Github, then I would blame it on the package manager for making it so inherently easy to download malware, wouldn't I?
ChrisMarshallNY
> the kind of dependency developers install without a second thought
Kind of a terrifying statement, right there.
agentifysh
yeah i mean this is a tough problem. unless you work for a government contractor where they have strict security policies, most devs are just going to run npm install without a second thought as there are a lot of packages.
i dont know what the solution here is other than stop using npm
josephg
> i dont know what the solution here is other than stop using npm
Personally I think we need to start adding capability based systems into our programming languages. Random code shouldn't have "ambient authority" to just do anything on my computer with the same privileges as me. Like, if a function has this signature:
function add(a: int, b: int) -> int
Philosophically, I kind of think of it like function arguments and globals. If I call a function foo(someobj), then function foo is explicitly given access to someobj. And it also has access to any globals in my program. But we generally consider globals to be smelly. Passing data explicitly is better.
But the whole filesystem is essentially available as a global that any function, anywhere, can access. With full user permissions. I say no. I want languages where the filesystem itself (or a subset of it) can be passed as an argument. And if a function doesn't get passed a filesystem, it can't access a filesystem. If a function isn't passed a network socket, it can't just create one out of nothing.
I don't think it would be that onerous. The main function would get passed "the whole operating system" in a sense - like the filesystem and so on. And then it can pass files and sockets and whatnot to functions that need access to that stuff.
If we build something like that, we should be able to build something like npm but where you don't need to trust the developers of 3rd party software so much. The current system of trusting everyone with everything is insane.
ratmice
I couldn't agree with you more, the thing is our underlying security models are protecting systems from their users, but do nothing for protecting user data from the programs they run. Capability based security model will fix that.
irishcoffee
> No network access. No filesystem. Nothing.
Ironically, any c++ app I've written on windows does exactly this. "Are you sure you want to allow this program to access networking?" At least the first time I run it.
I also rarely write/run code for windows.
miroljub
The issue with npm is JS doesn't have a stdlib, so developers need to rely on npm and third party libs even for things stdlib provide in languages like Java, Python, Go, ...
josephg
Sure it does. The JS standard library these days is huge. Its way bigger than C, Zig and Rust. It includes:
- Random numbers
- Timezones, date formatting
- JSON parsing & serialization
- Functional programming tools (map, filter, reduce, Object.fromEntries, etc)
- TypedArrays
And if you use bun or nodejs, you also have out of the box access to an HTTP server, filesystem APIs, gzip, TLS and more. And if you're working in a browser, almost everything in jquery has since been pulled into the browser too. Eg, document.querySelector.
Of course, web frameworks like react aren't part of the standard library in JS. Nor should they be.
What more do you want JS to include by default? What do java, python and go have in their standard libraries that JS is missing?
Eduard
JS has a stdlib, so to say. See nodejs, and Web standard.
And no programming language's stdlib includes e. g. WhatsApp API libraries
null
irishcoffee
> unless you work for a government contractor where they have strict security policies
... So you're saying there is a blueprint for mitigating this already, and it just isn't followed?
kankerlijer
It's more work and more restrictive I suppose. Any business is free to set up jfrog Artifactory and only allow the installation of approved dependencies. And anyone can pull Ironbank images I believe.
parliament32
Yes, but it requires people. Typically, you identify a package you want (or a new version of a package you want) and you send off a request to a separate security team. They analyze and approve, and the package becomes available in your internal package manager. But this means 1) you need that team of people to do that work, and 2) there's a lot of hurry-up-and-wait involved.
sneak
Every docker image specified in a k8s yml or docker-compose file or github action that doesn’t end in :sha256@<hash> (ie specifying a label) is one “docker push” away from a compromise, given that tags/labels are not cryptographically specified. You’re just trusting DockerHub and the publisher (or anyone with their creds) to not rug you.
The industry runs on a lot more unexamined trust than people think.
They’re deployed automatically by machine, which definitionally can’t even give it a second thought. The upstream trust is literally specified in code, to be reused constantly automatically. You could get owned in your sleep without doing anything just because a publisher got phished one day.
Muromec
I have to trust the publisher, otherwise I can't update and I have to update because CVE's exist. If we step back, how do I even know that the image blessed with hardcoded hash (doublechecked with the website of whoever is supposed to publish it) isn't backdored now?
OptionOfT
Pinning a GitHub Actions action doesn't prevent the action itself from doing an apt install, npm install or running a Docker image that is not pinned.
ChrisMarshallNY
That's one reason I barely use any dependencies. I'm forced to use a couple, but I tend to "roll my own," quite a bit.
Well, I should qualify that. I do use quite a few dependencies, but they are ones that I wrote.
embedding-shape
Requiring the use of lockfiles and strict adherence to checking updates, also helps. I tend to use dependencies for many things, but ones I've trusted over a long time, I know how they work, often chosen because of how they were implemented, so I can see the updates and review them myself. Scaling up to a team, you make that part of the process whenever you add a new dependencies, and someone's name always have to be "assigned" to a dependency, so people take ownership of the code that gets added. Often people figure out it's not worth it, and figure out a simpler way.
btbuildem
It's terrifying because it's true for a majority of developers.
sublinear
It's also hyperbole
josephg
I've worked in plenty of javascript shops and unfortunately its not so far off the mark. Its quite common to see JS projects with thousands of transitive dependencies. I've seen the same in python too.
morshu9001
It's funny how Py has less of this reputation just because the package manager is so broken that you might have a hard time adding so many deps in the first place. (Maybe fixed with uv, but that's relatively new and not default.)
evdubs
Is there no Apache Commons for Javascript? It'd be nice to have a large library from a 'trusted' group.
llmslave2
If one relies on the JS ecosystem to put food on the table and can't realistically make changes at their job to mitigate this, short of developing on a second airgapped work-only computer what can developers do to at least partially mitigate the risk? I've heard others mention doing all development in docker containers. Perhaps using a Linux VM?
ryanto
I run incus os, which is an operating system that is made for spinning up containers and VMs. Whenever I have to work on a JS project I launch a new container for development and then ssh into it from my laptop. You can also run incus on your computer without installing it as an operating system.
Containers still have some risk since they share the host kernel, but they're a pretty good choice for protection against the types of attacks we see in the JS ecosystem. I'll switch to VM's when we start seeing container escape exploits being published as npm packages :)
When I first started doing development this way it felt like I was being a bit too paranoid, but honestly it's so fast and easy it's not at all noticeable. I often have to work on projects that use outdated package managers and have hundreds of top-level dependencies, so it's worth the setup in my opinion.
morshu9001
If you're distributing something that uses this package, it's not just your dev computer at risk, it's all the users.
llmslave2
I'm aware thanks, but if your company is doing the standard practice of using 10k dependencies for some JS webslop you don't really have any other options but to protect yourself.
rglover
Microsoft either needs to become a better steward of NPM or hand it off to a foundation that can properly maintain it.
The_President
Good plan - I'm sure they'll get right on it after solving the virus and malware issues on their mainline OS.
anonzzzies
If they really believe their AI is that good and security practices and tooling that solid, why can't they automatically flag this stuff? I am sure they can, but once flagged a human has to check and that seems costly?
Muromec
There is no AI, it's all a scam.
anonzzzies
I had some dependency of a dependency installing crypto miners: it was pretty scary as we have not had this since wordpress. I saw a lot more people having this issue (there is a weird process consuming all my cpu). Like someone here already says: we need an Apache / NPM commons and when packages use anything outside those, big fat alarm bells should chime.
cromka
I am seriously surprised developers trust NodeJS to this extend and aren't afraid of being sued for inadvertently shipping malware to people.
It's got to be a matter of time, doesn't it, before some software company gets in serious trouble because of that. Or, NPM actually implements some serious stewardship process in place.
paularmstrong
This has nothing to do with NodeJS or NPM. The code is freely distributed, just like any open source repo or package manager may provide. The onus is on those who use it to audit what it actually does.
cromka
It absolutely does have to do with it. If we continued to ship software libraries like we still do on Linux, then you wouldn't be downloading its releases straight from the source repo, but rather have someone package and maintain them.
Except at the granularity of NodeJS packages, it would be nearly impossible to do.
Eduard
as of this writing, the alleged malware/project is still available on npm and GitHub. I'm surprised koi.ai does not mention in their article if they have reported their findings to npm/GitHub.
montague27
Is there an increasing trend of supply chain attacks? What can developers do to mitigate the impact?
HighGoldstein
Mitigate? Stop using random packages. Prevent? Stop using NPM and similar package ecosystems altogether.
cromka
That package wasn't any more random than any other NodeJS package. NPM isn't inherently different from, say, Debian repositories, except the latter have oversight and stewardship and scrutiny.
That's what's needed and I am seriously surprised NPM is trusted like it is. And I am seriously surprised developers aren't afraid of being sued for shipping malware to people.
bigfatkitten
> NPM isn't inherently different from, say, Debian repositories, except the latter have oversight and stewardship and scrutiny.
Which when compared to NPM, which has no meaningful controls of any sort, is an enormous difference.
metaltyphoon
> and similar package ecosystems altogether
Realistically, this is impossible.
baq
at some point having LLMs spit out libraries for you might be safer than actually downloading them.
christophilus
Review and vendor your dependencies like it’s 1999.
embedding-shape
If you have to run it regardless, contain it as good as you could, given the potential impact. If you're not using the same machine for anything else, maybe "good riddance" is the way to go? Otherwise try to sandbox it, understanding the tradeoffs and (still) risks. Easiest for now is just run everything in rootless podman containers (or similar), which is relatively easy. Otherwise VMs, or other machines. All depends on what effort you feel is worth it, so really what it is your are protecting.
spot
use dependabot with cooldown.
BubbleRings
So is there a list of the most popular apps that made use of the infected lotusbail npm package?
baobun
NPM show 0 dependents in public packages. The 56k downloads number can easily have been be gamed by automation and therefore not a reliable signal of popularity.
> The lotusbail npm package presents itself as a WhatsApp Web API library - a fork of the legitimate @whiskeysockets/baileys package.
> The package has been available on npm for 6 months and is still live at the time of writing.
> (...) malware that steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor's server.