Lotusbail npm package found to be harvesting WhatsApp messages and contacts

Posted by sohkamyung 10 hours ago

Lotusbail npm package found to be harvesting WhatsApp messages and contacts(www.koi.ai)

257 points | 158 commentspage 2

anonzzzies 9 hours ago|

I had some dependency of a dependency installing crypto miners: it was pretty scary as we have not had this since wordpress. I saw a lot more people having this issue (there is a weird process consuming all my cpu). Like someone here already says: we need an Apache / NPM commons and when packages use anything outside those, big fat alarm bells should chime.

no-name-here 7 hours ago|

As others pointed out elsewhere, that wouldn’t have helped in this case as presumably it wouldn’t include a WhatsApp API, the purpose of this package. But it could help in general, sure.

BubbleRings 9 hours ago||

So is there a list of the most popular apps that made use of the infected lotusbail npm package?

baobun 9 hours ago|

NPM show 0 dependents in public packages. The 56k downloads number can easily have been be gamed by automation and therefore not a reliable signal of popularity.

Eduard 8 hours ago||

as of this writing, the alleged malware/project is still available on npm and GitHub. I'm surprised koi.ai does not mention in their article if they have reported their findings to npm/GitHub.

esafak 9 hours ago||

Did any other scanner catch this, and when? A detection lag leaderboard would be neat.

The_President 9 hours ago||

Recently audited a software plan created by an AI tool. NPM dependencies as far as the eye can see. I can only imagine the daunting liability concerns if the suggested "engineering" style was actually put forth to be used in production across the wide userbase. That said, the process of the user creating the "draft" codebase gave them a better understanding of scope of work necessary.

cromka 8 hours ago||

I am seriously surprised developers trust NodeJS to this extend and aren't afraid of being sued for inadvertently shipping malware to people.

It's got to be a matter of time, doesn't it, before some software company gets in serious trouble because of that. Or, NPM actually implements some serious stewardship process in place.

paularmstrong 8 hours ago|

This has nothing to do with NodeJS or NPM. The code is freely distributed, just like any open source repo or package manager may provide. The onus is on those who use it to audit what it actually does.

cromka 8 hours ago||

It absolutely does have to do with it. If we continued to ship software libraries like we still do on Linux, then you wouldn't be downloading its releases straight from the source repo, but rather have someone package and maintain them.

Except at the granularity of NodeJS packages, it would be nearly impossible to do.

Kwpolska 1 hour ago||

Why are Linux packagers so trustworthy? In most distros, they're a group of volunteers. The group is smaller, but it's not impossible for someone with malicious intent to get the keys to the kingdom and upload packages with embedded malware.

antiloper 9 hours ago||

Was anyone actually affected by this? Is this package a dependency of some popular package?

I assume the answer is no because this is clearly clickbait AI slop but who knows.

jameslk 8 hours ago||

Malicious libraries will drive more code to be written by LLMs. Currently, malicious libraries seem to be typically trivial libraries. A WhatsApp API library is just on the edge of something that can be vibe coded, and avoiding getting pwned may be a good enough tipping point to embrace NIH syndrome more and more, which I think would be a net negative for F/OSS

The incentives are aligned with the AI models companies, which benefit from using more tokens to code something from scratch

Security issues will simply move to LLM related security holes

Kwpolska 1 hour ago|

The library in question is a malicious fork of a library which reverse engineered the undocumented WhatsApp Web API. Good luck making a slop generator reverse engineer an API.

jameslk 33 minutes ago||

I would wager LLMs in a good enough tool/eval loop would actually do pretty well at that task. But they may also be pretty good at just replicating existing libraries wholesale, sans the malicious bits

runningmike 10 hours ago|

Popularity is never a metric for security or quality….Always verify.

criddell 9 hours ago||

Verify? Verify what?

user34283 9 hours ago|||

Verify what? I certainly don't have the capacity to thoroughly review my every dependency's source code in order to detect potentially hidden malware.

In this case more realistic advice would probably be to either rely on a more popular package to benefit from swarm intelligence, or creating your own implementation.

bdangubic 9 hours ago||

also scrutinize every dependency you introduce. I have seen sooooo many dependencies over the years where a library was brought in for one or two things which you can write yourself in 5 minutes (e.g. commons-lang to use null-safe string compare or contains only)

notKilgoreTrout 9 hours ago|||

Sure but you basically need a different ecosystem to bring in a popular package and not expect to end up with these trivial libraries indirectly through some of the dependencies.

user34283 9 hours ago|||

Said scrutinizing from my side consists of checking the number of downloads and age of the package, maybe at best a quick look at the GitHub.

Yes, I'm sure many dependencies aren't very necessary. However, in many projects I worked on (corporate) which were on the older Webpack/Babel/Jest stack, you can expect node_modules at over 1 GB. There this ship has sailed long ago.

But on the upside, most of those packages should be fairly popular. With pnpm's dependency cooldown and whitelisting of postinstall scripts, you are probably good.

k8sToGo 9 hours ago|||

But... GitHub stars!

sneak 9 hours ago||

Over a certain popularity it is. 56k downloads is nowhere near the threshold.

More comments...