Executive Summary
In May 2025, a malicious npm package named "lotusbail" was uploaded to the JavaScript ecosystem, masquerading as a fully functional WhatsApp API. Created by a user known as "seiren_primrose," the package was downloaded over 56,000 times before discovery. Behind its legitimate capabilities, "lotusbail" stealthily exfiltrated WhatsApp credentials, intercepted all messages, harvested contacts, installed a persistent backdoor, and linked attacker devices to victims’ WhatsApp accounts for continuous unauthorized access. Data was encrypted and exfiltrated to attacker-controlled servers, with covert device pairing persisting even after package removal, compounding the risk to both individuals and organizations reliant on WhatsApp for communication.
This incident highlights the growing risk of advanced supply chain attacks via trusted open-source repositories. Attackers increasingly use sophisticated evasion tactics—like anti-debugging, code obfuscation, and reputation laundering—to slip past static and reputation-based security controls. As software supply chain threats intensify, organizations must urgently reassess the hygiene, monitoring, and zero trust posture of their development pipelines.
Why This Matters Now
Open-source supply chain attacks are accelerating, targeting widely used libraries to compromise developer and business ecosystems at scale. With attackers demonstrating persistent access capabilities even post-removal, organizations face heightened risk of data breaches, identity compromise, and regulatory impact. Prompt detection and mitigation are essential to defend modern app development environments.
Attack Path Analysis
The attacker achieved initial compromise by distributing a malicious npm package that posed as a legitimate WhatsApp API, which was unwittingly downloaded and integrated by developers. Upon installation and use, the malware escalated privileges by capturing authentication tokens and hijacking the device linking process to persistently access victim accounts. The threat actor leveraged this access for limited lateral movement, maintaining stealthy presence across environments where the package was deployed. Communication channels were established for ongoing command and control via exfiltration of data through encrypted outbound connections to attacker-controlled servers. Sensitive information, including messages, contacts, media, and credentials, was exfiltrated covertly. Finally, the attacker established long-term impact by maintaining unauthorized access, enabling continuous monitoring or potential further abuse of compromised WhatsApp accounts.
Kill Chain Progression
Initial Compromise
Description
A fake, malicious npm package mimicking a WhatsApp API was published and downloaded, leading to supply chain intrusion upon installation by developers.
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Modify Authentication Process: Credentials in Files
Two-Factor Authentication Interception
Automated Exfiltration
Application Layer Protocol: Web Protocols
Hide Artifacts: Hidden Files and Directories
Virtualization/Sandbox Evasion: System Checks
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Production and Test Environments Separation
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Third-Party Risk Management
Control ID: Article 6(7)
CISA Zero Trust Maturity Model 2.0 – Software Supply Chain Integrity
Control ID: Asset Management
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Direct exposure to npm supply chain attacks targeting developers using WhatsApp APIs, with malicious packages intercepting credentials and establishing persistent backdoors.
Information Technology/IT
High risk from supply chain compromises affecting development workflows, requiring enhanced package validation and zero trust segmentation for east-west traffic protection.
Financial Services
Critical vulnerability to cryptocurrency wallet hijacking and OAuth token theft, with compliance implications under PCI and regulatory requirements for secure communications.
Computer/Network Security
Strategic impact as security practitioners must defend against sophisticated supply chain attacks while implementing threat detection capabilities to identify malicious package behaviors.
Sources
- Fake WhatsApp API Package on npm Steals Messages, Contacts, and Login Tokenshttps://thehackernews.com/2025/12/fake-whatsapp-api-package-on-npm-steals.htmlVerified
- Poisoned WhatsApp API package steals messages and accountshttps://www.theregister.com/2025/12/22/whatsapp_npm_package_message_steal/Verified
- Malicious NPM Package 'Lotusbail' Steals Data and Takes Over WhatsApp Accountshttps://www.thaicert.or.th/en/2025/12/29/malicious-npm-package-lotusbail-steals-data-and-takes-over-whatsapp-accounts/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, robust east-west and egress controls, multilayer visibility, and real-time policy enforcement would have constrained the malicious npm package’s ability to move laterally, communicate out, and exfiltrate sensitive information. CNSF capabilities mapped to runtime inspection, microsegmentation, egress filtering, and encryption visibility collectively reduce the risk and blast radius from supply chain threats.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of anomalous library behaviors or traffic.
Control: Zero Trust Segmentation
Mitigation: Restricted unauthorized lateral or privileged actions within the application and cloud environment.
Control: East-West Traffic Security
Mitigation: Blocked or alerted on unauthorized resource access or pivoting.
Control: Cloud Firewall (ACF)
Mitigation: Blocked or identified unauthorized outbound C2 connections.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented or detected unauthorized outbound data transfers.
Rapid detection and remediation of long-lived unauthorized access.
Impact at a Glance
Affected Business Functions
- Customer Support
- Marketing Communications
- Internal Communications
Estimated downtime: 7 days
Estimated loss: $500,000
The malicious 'lotusbail' package intercepts and exfiltrates WhatsApp authentication tokens, session keys, message histories, contact lists, and media files. This leads to unauthorized access to sensitive communications and personal data, potentially resulting in identity theft, reputational damage, and regulatory penalties.
Recommended Actions
Key Takeaways & Next Steps
- • Establish Zero Trust Segmentation and microsegmentation to strictly limit workload communications and lateral movement from third-party code.
- • Enforce outbound egress controls and FQDN filtering to block unauthorized data exfiltration and C2 channels from cloud workloads.
- • Deploy continuous anomaly detection and traffic baselining to promptly surface malicious behaviors not detected by static code analysis or reputation systems.
- • Implement centralized cloud visibility and distributed policy enforcement across all environments (including dev/test) for real-time response to compromised components.
- • Regularly audit and validate open-source dependencies, applying runtime risk assessment and posture controls to reduce supply chain risk.
