A malicious npm package disguised as a WhatsApp API library has stolen developer credentials, highlighting the growing vulnerabilities in open source software supply chains.
Security researchers have uncovered a fake WhatsApp API package on npm that actively steals developer credentials, raising fresh concerns about the security of open source software supply chains.
The malicious library, named lotusbail, was uploaded in May 2025 by a user called seiren_primrose and has been downloaded over 56,000 times, including 711 downloads in the past week. The package remains available for download.
Targeting developers integrating WhatsApp features into applications such as messaging tools, customer support systems, or automation services, the package impersonated a legitimate API library. By leveraging similar naming conventions and descriptions, it blended seamlessly into development workflows, executing code during installation or runtime to exfiltrate credentials.
The consequences are severe. Compromised accounts can lead to downstream attacks affecting applications, services, and entire production environments, putting both developers and businesses at risk.
Tuval Admoni, Koi Security researcher, said: “Steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor’s server.”
Admoni added: “When you use this library to authenticate, you’re not just linking your application — you’re also linking the threat actor’s device. They have complete, persistent access to your WhatsApp account, and you have no idea they’re there.”
This incident underscores the dangers of supply chain attacks in open source ecosystems, where a single compromised package can propagate malicious code across thousands of developers and businesses, stressing the importance of vetting and verifying third-party dependencies before integration.
