Beware the WhatsApp Hijacker: Lotusbail NPM Package Caught Red-Handed!

The malicious NPM package, Lotusbail, disguised as a WhatsApp Web API library, has been stealing users’ credentials and data. Koi Security warns that this sneaky package, downloaded over 56,000 times, captures messages and authentication tokens. Uninstalling won’t help; users must manually unlink devices to boot out the unwelcome intruders.

3P
Published: December 23, 2025 10:58 amAdded: December 23, 2025 at 3:29 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Who knew that sending a “Hey, how are you?” on WhatsApp could also mean “Hey, here are my credentials, contact list, and media files, please steal them”? Seems like the only “baileys” you should trust is the one that comes in a glass, not an NPM package. Let’s hope you didn’t use it to order a pizza because hackers just got a slice of your identity!

Key Points:

  • Lotusbail: A Trojan Horse masquerading as a WhatsApp API library on NPM.
  • It has been lurking in the NPM repository for six months, with over 56,000 downloads.
  • This package captures and duplicates all WhatsApp messages and credentials.
  • Encrypts stolen data with a custom RSA implementation to avoid detection.
  • Victims must manually unlink devices from WhatsApp to remove hacker access.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?