Find notable cyber news and cases, enriched with sources, timelines, and signals.

Lotusbail malicious npm package stealing WhatsApp account data and messages

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

The lotusbail package is a malicious npm library that steals WhatsApp account data and can leave victims with persistent unauthorized access. It masquerades as a legitimate WhatsApp Web API library while capturing authentication tokens, session keys, and message traffic. The package has been available for at least six months and has amassed more than 56,000 downloads.

Related Happenings

WhatsApp VBScript infection chain installing ManageEngine RMM Central

Malware Activity
H score20 First: 23.06.2026 08:38 Last: 23.06.2026 08:38 Sources 1

About this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...

WhatsApp VBScript phishing campaign targeting users in multiple countries

Campaign
H score43 First: 23.06.2026 01:42 Last: 23.06.2026 01:42 Sources 1

About this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...

WhatsApp contempt motion against NSO Group

Regulatory/Legal Action
H score33 First: 09.06.2026 11:15 Last: 09.06.2026 11:15 Sources 1

About this happening: WhatsApp moved the **US court** to hold **NSO Group** in contempt over a **permanent injunction** tied to spyware targeting of users. The company says NSO violated the order by us...

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
H score20 First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

TCLBanker self-spreading banking trojan

Malware Activity
H score31 First: 08.05.2026 01:06 Last: 08.05.2026 01:06 Sources 1

About this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...

Timeline

  1. 22.12.2025 18:08 2 articles · 6mo ago

    Koi Security discloses malicious npm package lotusbail

    Initial Disclosure

    Koi Security identified lotusbail, a malicious npm package posing as a WhatsApp Web API library and a fork of WhiskeySockets Baileys, that steals WhatsApp authentication tokens and session keys, intercepts sent and received messages, exfiltrates contacts, media files, and documents, and pairs an attacker's device to the victim's WhatsApp account for persistent access.

    Show sources