Malicious NPM Package 'Lotusbail' Steals WhatsApp Data from 56,000 Users

Beware of 'Lotusbail' on NPM, a fake WhatsApp API stealing credentials and messages, affecting over 56,000 users.

By Content Team

Dec 23, 2025

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

A fake WhatsApp Web API library called 'Lotusbail' has been secretly stealing users' credentials and messages for six months on NPM, racking up over 56,000 downloads. Koi Security discovered the malicious package masquerades as a legitimate WhatsApp tool but captures everything - authentication tokens, messages, contacts, and media files - then encrypts and sends the data to attackers.

The malware goes further by hijacking WhatsApp's device pairing process, secretly linking the attacker's device to victims' accounts for permanent backdoor access. Simply uninstalling the package won't help - users must manually remove all linked devices from WhatsApp settings to regain security.

Source: SecurityWeek

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Hackers Exploit Critical Quest KACE Flaw to Take Over Management Systems

Mar 21, 2026

Jaguar Land Rover Sales Plummet 43% After Cyber Attack and US Tariffs

Jan 9, 2026

US Charges 31 More in Massive ATM Hacking Scheme

Jan 28, 2026

Hackers Actively Exploiting Critical Zero-Day Flaw in 120+ Cisco Email Security Devices

Dec 21, 2025