Lotusbail npm package found to be harvesting WhatsApp messages and contacts

Posted by sohkamyung 12/22/2025

Lotusbail npm package found to be harvesting WhatsApp messages and contacts(www.koi.ai)

323 points | 211 commentspage 3

runningmike 12/22/2025|

Popularity is never a metric for security or quality….Always verify.

user34283 12/22/2025||

Verify what? I certainly don't have the capacity to thoroughly review my every dependency's source code in order to detect potentially hidden malware.

In this case more realistic advice would probably be to either rely on a more popular package to benefit from swarm intelligence, or creating your own implementation.

bdangubic 12/22/2025||

also scrutinize every dependency you introduce. I have seen sooooo many dependencies over the years where a library was brought in for one or two things which you can write yourself in 5 minutes (e.g. commons-lang to use null-safe string compare or contains only)

notKilgoreTrout 12/22/2025|||

Sure but you basically need a different ecosystem to bring in a popular package and not expect to end up with these trivial libraries indirectly through some of the dependencies.

user34283 12/22/2025|||

Said scrutinizing from my side consists of checking the number of downloads and age of the package, maybe at best a quick look at the GitHub.

Yes, I'm sure many dependencies aren't very necessary. However, in many projects I worked on (corporate) which were on the older Webpack/Babel/Jest stack, you can expect node_modules at over 1 GB. There this ship has sailed long ago.

But on the upside, most of those packages should be fairly popular. With pnpm's dependency cooldown and whitelisting of postinstall scripts, you are probably good.

pixl97 12/23/2025||

>consists of checking the number of downloads and age of the package

Age can't be gamed, but number of downloads sure can.

bdangubic 12/23/2025||

I looked at number of downloads just like I am looking at number of amazon reviews :) tells you just about the same thing - nothing at all

criddell 12/22/2025|||

Verify? Verify what?

sneak 12/22/2025|||

Over a certain popularity it is. 56k downloads is nowhere near the threshold.

k8sToGo 12/22/2025||

But... GitHub stars!

paul_h 12/23/2025||

isolated-vm (https://www.npmjs.com/package/isolated-vm) here we come for increased sandboxing of node bits and pieces? And we are a year after Java took out the security manager that could sandbox jars in separate classloaders - a standout feature since 1995.

jameslk 12/23/2025||

Malicious libraries will drive more code to be written by LLMs. Currently, malicious libraries seem to be typically trivial libraries. A WhatsApp API library is just on the edge of something that can be vibe coded, and avoiding getting pwned may be a good enough tipping point to embrace NIH syndrome more and more, which I think would be a net negative for F/OSS

The incentives are aligned with the AI models companies, which benefit from using more tokens to code something from scratch

Security issues will simply move to LLM related security holes

Kwpolska 12/23/2025|

The library in question is a malicious fork of a library which reverse engineered the undocumented WhatsApp Web API. Good luck making a slop generator reverse engineer an API.

jameslk 12/23/2025||

I would wager LLMs in a good enough tool/eval loop would actually do pretty well at that task. But they may also be pretty good at just replicating existing libraries wholesale, sans the malicious bits

agentifysh 12/22/2025||

wonder if this is possible with flutter packages or python? im looking to slowly get away from javascript ecosystem.

ive started using Flutter even for web applications as well, works pretty well, still use Astro/React tho for frontend websites so I can't completely get away from it.

paularmstrong 12/22/2025||

The code is literally right there for you. It doesn't matter what ecosystem or package manager. Someone could distribute the same thing anywhere — it's up to those pulling it in to actually start auditing what they're accepting.

The_President 12/22/2025|||

PyPI has had compromised or fake packages in the past.

johnny22 12/22/2025||

yes it is possible with rust, python, php, and likely many others

j45 12/23/2025||

Almost need to run each npm package isolated to the extent possible, or something equivalent.

scotty79 12/23/2025||

> Traditional security doesn't catch this.

> const backdoorCode = crypto.AES.decrypt( "U2FsdGVkX1+LgFmBqo3Wg0zTlHXoebkTRtjmU0cq9Fs=", "ERROR_FILE" ).toString(crypto.enc.Utf8);

Really? Isn't random garbage string pretty strong indication of someone doing something suspicious?

pixl97 12/23/2025|

I mean there are a number of tools that look for things like high entropy strings and other crypto keys.

More comments...