Lotusbail npm package found to be harvesting WhatsApp messages and contacts

Posted by sohkamyung 12/22/2025

Lotusbail npm package found to be harvesting WhatsApp messages and contacts(www.koi.ai)

323 points | 211 commentspage 2

anonzzzies 12/22/2025|

I had some dependency of a dependency installing crypto miners: it was pretty scary as we have not had this since wordpress. I saw a lot more people having this issue (there is a weird process consuming all my cpu). Like someone here already says: we need an Apache / NPM commons and when packages use anything outside those, big fat alarm bells should chime.

no-name-here 12/23/2025|

As others pointed out elsewhere, that wouldn’t have helped in this case as presumably it wouldn’t include a WhatsApp API, the purpose of this package. But it could help in general, sure.

slhck 12/23/2025||

These LLM-generated blogs aren't going away – they're everywhere. And the best part? You can now instantly push out garbage content at no cost. Traditional writing is not just dead. It's legacy. The real marketer doesn't care. He just slops.

imperfectfourth 12/23/2025|

it's funny that your comment also feels very LLM-generated.

slhck 12/23/2025||

Um, yes. That's the entire joke.

BubbleRings 12/22/2025||

So is there a list of the most popular apps that made use of the infected lotusbail npm package?

baobun 12/22/2025|

NPM show 0 dependents in public packages. The 56k downloads number can easily have been be gamed by automation and therefore not a reliable signal of popularity.

esafak 12/22/2025||

Did any other scanner catch this, and when? A detection lag leaderboard would be neat.

Eduard 12/23/2025||

as of this writing, the alleged malware/project is still available on npm and GitHub. I'm surprised koi.ai does not mention in their article if they have reported their findings to npm/GitHub.

The_President 12/22/2025||

Recently audited a software plan created by an AI tool. NPM dependencies as far as the eye can see. I can only imagine the daunting liability concerns if the suggested "engineering" style was actually put forth to be used in production across the wide userbase. That said, the process of the user creating the "draft" codebase gave them a better understanding of scope of work necessary.

cromka 12/22/2025||

I am seriously surprised developers trust NodeJS to this extend and aren't afraid of being sued for inadvertently shipping malware to people.

It's got to be a matter of time, doesn't it, before some software company gets in serious trouble because of that. Or, NPM actually implements some serious stewardship process in place.

paularmstrong 12/22/2025|

This has nothing to do with NodeJS or NPM. The code is freely distributed, just like any open source repo or package manager may provide. The onus is on those who use it to audit what it actually does.

cromka 12/23/2025||

It absolutely does have to do with it. If we continued to ship software libraries like we still do on Linux, then you wouldn't be downloading its releases straight from the source repo, but rather have someone package and maintain them.

Except at the granularity of NodeJS packages, it would be nearly impossible to do.

Kwpolska 12/23/2025||

Why are Linux packagers so trustworthy? In most distros, they're a group of volunteers. The group is smaller, but it's not impossible for someone with malicious intent to get the keys to the kingdom and upload packages with embedded malware.

fooker 12/22/2025||

> 56k Downloads?

That seems ..low..?

Eji1700 12/22/2025||

It also seems weird that people are only scanning code that breaks?

I have 0 cred in anything security, so maybe i'm just missing a bigger picture thing, but like...if you told me i had to make some sort of malicious NPM package and get people to use it, i'd probably just find something that works, copy the code, put in some stylistic changes, and then bury my malicious code in there?

This seems so obvious that I question if the OP is correct in stating people aren't looking for that, or maybe I misunderstand what they mean because i'm ignorant?

pixl97 12/23/2025||

>It also seems weird that people are only scanning code that breaks?

That's how the xz exploit was caught.

outofpaper 12/22/2025|||

Feels almost SEO. 56k used to be the top speed for models. It was L33t.

throw-12-16 12/23/2025|

NPM was a mistake.

We created a minefield of abandonware and called it an ecosystem.

SoftTalker 12/23/2025|

Or perhaps it was all by design?

More comments...