Lotusbail npm package found to be harvesting WhatsApp messages and contacts

Posted by sohkamyung 14 hours ago

Lotusbail npm package found to be harvesting WhatsApp messages and contacts(www.koi.ai)

293 points | 185 commentspage 4

edoceo 13 hours ago|

Once again, just having a better supply chain tool, just reviewing the changed packages could mitigate. Maybe hold back some of the dependencies of dependencies would mitigate.

Why aren't more teams putting some tool in-front of their blind-installs from NPM (et al)

peacebeard 13 hours ago||

Wow that AI art looks terrible.

ilio 13 hours ago|

Lots of signs of AI writing also: “not this, but that” constructions everywhere. The first paragraph in Final Thoughts is pure ChatGPT.

It’s hard to read any blog anymore without trying to work out which part is actually from a human.

canyp 11 hours ago||

Soon the only way to assure your readers that your writing is human is by calling them a motherfucker in the opening sentence.

But then, you'd only be sure that the first sentence was legitimate and not the rest of the article. That is why I constantly reassure my readers that they're some goddamn motherfuckers throughout my writing. And you, too, are one, my friend.

peacebeard 11 hours ago||

We’ve got a bonified human right here motherfuckers

ashishb 13 hours ago||

JavaScript fanatics will downvote me, but I will say again. JavaScript is meant to be run in an untrusted environment (think browser), and running it in any form of trusted environment increases the risk drastically [1]

The language is too hard to do a meaningful static analysis. This particular attack is much harder (though not impossible) to execute in Java, Go, or Rust-based packages.

1 - https://ashishb.net/tech/javascript/

tantalor 13 hours ago||

Even in a browser, a compromised JS payload can put your user's data and privacy at risk.

ashishb 13 hours ago||

> Even in a browser, a compromised JS payload can put your user's data and privacy at risk.

True. In a backend, however, a compromised payload can put all of user's and your non-user data at risk.

Muromec 12 hours ago||

> your non-user data at risk.

That sounds like a GDPR fine waiting to be issued right there.

mcintyre1994 13 hours ago||

In what way is it harder to write a library that exfiltrates credentials passed to it in those languages? I’d think it’d be a bit easier because you could use the standard library instead of custom encryption, but otherwise pretty much the same.

ashishb 13 hours ago||

> In what way is it harder to write a library that exfiltrates credentials passed to it in those languages?

It is not harder to write. It is more challenging to execute this attack stealthily.

Due to the myriad behaviors of runtimes (browser vs. backend), frameworks (and their numerous versions), and over-dependency on external dependencies (e.g., leftpad), the risk in JS-based backends increases significantly.

scotty79 10 hours ago|

> Traditional security doesn't catch this.

> const backdoorCode = crypto.AES.decrypt( "U2FsdGVkX1+LgFmBqo3Wg0zTlHXoebkTRtjmU0cq9Fs=", "ERROR_FILE" ).toString(crypto.enc.Utf8);

Really? Isn't random garbage string pretty strong indication of someone doing something suspicious?