Lotusbail malicious npm package stealing WhatsApp account data and messages
Malware Activity
Summary
Hide ▲
Show ▼
The lotusbail package is a malicious npm library that steals WhatsApp account data and can leave victims with persistent unauthorized access. It masquerades as a legitimate WhatsApp Web API library while capturing authentication tokens, session keys, and message traffic. The package has been available for at least six months and has amassed more than 56,000 downloads.
Related Happenings
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBanker self-spreading banking trojan
Malware Activity
First: 08.05.2026 01:06
Last: 08.05.2026 01:06
Sources 1
About this happening:
The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
TCLBanker self-spreading banking trojan
Malware ActivityAbout this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
NoVoice Android malware hidden in Google Play apps
Malware Activity
First: 01.04.2026 21:07
Last: 01.04.2026 21:07
Sources 1
About this happening:
**NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...
NoVoice Android malware hidden in Google Play apps
Malware ActivityAbout this happening: **NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...
SORVEPOTEL WhatsApp malware campaign spreads across Brazil
Campaign
First: 12.03.2026 19:31
Last: 12.03.2026 19:31
Sources 1
About this happening:
A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...
SORVEPOTEL WhatsApp malware campaign spreads across Brazil
CampaignAbout this happening: A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...
Signal support-lure phishing campaign targeting European officials and journalists
Campaign
First: 07.02.2026 13:15
Last: 07.02.2026 13:15
Sources 1
About this happening:
**Germany's BfV and BSI** warned that a likely **state-sponsored** actor is running a **Signal phishing campaign** that can steal **PINs** and **device-link access**, putting **po...
Signal support-lure phishing campaign targeting European officials and journalists
CampaignAbout this happening: **Germany's BfV and BSI** warned that a likely **state-sponsored** actor is running a **Signal phishing campaign** that can steal **PINs** and **device-link access**, putting **po...
Timeline
-
22.12.2025 18:08 2 articles · 5mo ago
Koi Security discloses malicious npm package lotusbail
Initial DisclosureKoi Security identified lotusbail, a malicious npm package posing as a WhatsApp Web API library and a fork of WhiskeySockets Baileys, that steals WhatsApp authentication tokens and session keys, intercepts sent and received messages, exfiltrates contacts, media files, and documents, and pairs an attacker's device to the victim's WhatsApp account for persistent access.
Show sources
- Malicious npm package steals WhatsApp accounts and messages — www.bleepingcomputer.com — 22.12.2025 18:08
- Malicious npm package steals WhatsApp accounts and messages — www.bleepingcomputer.com — 22.12.2025 18:08