Lotusbail npm package found to be harvesting WhatsApp messages and contacts

Posted by sohkamyung 12/22/2025

Lotusbail npm package found to be harvesting WhatsApp messages and contacts(www.koi.ai)

323 points | 211 commentspage 4

edoceo 12/22/2025|

Once again, just having a better supply chain tool, just reviewing the changed packages could mitigate. Maybe hold back some of the dependencies of dependencies would mitigate.

Why aren't more teams putting some tool in-front of their blind-installs from NPM (et al)

peacebeard 12/22/2025||

Wow that AI art looks terrible.

ilio 12/22/2025|

Lots of signs of AI writing also: “not this, but that” constructions everywhere. The first paragraph in Final Thoughts is pure ChatGPT.

It’s hard to read any blog anymore without trying to work out which part is actually from a human.

canyp 12/23/2025||

Soon the only way to assure your readers that your writing is human is by calling them a motherfucker in the opening sentence.

But then, you'd only be sure that the first sentence was legitimate and not the rest of the article. That is why I constantly reassure my readers that they're some goddamn motherfuckers throughout my writing. And you, too, are one, my friend.

peacebeard 12/23/2025||

We’ve got a bonified human right here motherfuckers

antiloper 12/22/2025||

Was anyone actually affected by this? Is this package a dependency of some popular package?

I assume the answer is no because this is clearly clickbait AI slop but who knows.

ashishb 12/22/2025|

JavaScript fanatics will downvote me, but I will say again. JavaScript is meant to be run in an untrusted environment (think browser), and running it in any form of trusted environment increases the risk drastically [1]

The language is too hard to do a meaningful static analysis. This particular attack is much harder (though not impossible) to execute in Java, Go, or Rust-based packages.

1 - https://ashishb.net/tech/javascript/

tantalor 12/22/2025||

Even in a browser, a compromised JS payload can put your user's data and privacy at risk.

ashishb 12/22/2025||

> Even in a browser, a compromised JS payload can put your user's data and privacy at risk.

True. In a backend, however, a compromised payload can put all of user's and your non-user data at risk.

Muromec 12/23/2025||

> your non-user data at risk.

That sounds like a GDPR fine waiting to be issued right there.

mcintyre1994 12/22/2025||

In what way is it harder to write a library that exfiltrates credentials passed to it in those languages? I’d think it’d be a bit easier because you could use the standard library instead of custom encryption, but otherwise pretty much the same.

ashishb 12/22/2025||

> In what way is it harder to write a library that exfiltrates credentials passed to it in those languages?

It is not harder to write. It is more challenging to execute this attack stealthily.

Due to the myriad behaviors of runtimes (browser vs. backend), frameworks (and their numerous versions), and over-dependency on external dependencies (e.g., leftpad), the risk in JS-based backends increases significantly.