A fake WhatsApp Web API library called 'Lotusbail' has been secretly stealing users' credentials and messages for six months on NPM, racking up over 56,000 downloads. Koi Security discovered the malicious package masquerades as a legitimate WhatsApp tool but captures everything - authentication tokens, messages, contacts, and media files - then encrypts and sends the data to attackers.
The malware goes further by hijacking WhatsApp's device pairing process, secretly linking the attacker's device to victims' accounts for permanent backdoor access. Simply uninstalling the package won't help - users must manually remove all linked devices from WhatsApp settings to regain security.
Source: SecurityWeek