Lotusbail malicious npm package stealing WhatsApp account data and messages
Malware Activity
Summary
Hide ▲
Show ▼
The lotusbail package is a malicious npm library that steals WhatsApp account data and can leave victims with persistent unauthorized access. It masquerades as a legitimate WhatsApp Web API library while capturing authentication tokens, session keys, and message traffic. The package has been available for at least six months and has amassed more than 56,000 downloads.
Related Happenings
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware Activity
H score20
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
About this happening:
**VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware ActivityAbout this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript phishing campaign targeting users in multiple countries
Campaign
H score43
First: 23.06.2026 01:42
Last: 23.06.2026 01:42
Sources 1
About this happening:
An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
WhatsApp VBScript phishing campaign targeting users in multiple countries
CampaignAbout this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
WhatsApp contempt motion against NSO Group
Regulatory/Legal Action
H score33
First: 09.06.2026 11:15
Last: 09.06.2026 11:15
Sources 1
About this happening:
WhatsApp moved the **US court** to hold **NSO Group** in contempt over a **permanent injunction** tied to spyware targeting of users. The company says NSO violated the order by us...
WhatsApp contempt motion against NSO Group
Regulatory/Legal ActionAbout this happening: WhatsApp moved the **US court** to hold **NSO Group** in contempt over a **permanent injunction** tied to spyware targeting of users. The company says NSO violated the order by us...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
H score20
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBanker self-spreading banking trojan
Malware Activity
H score31
First: 08.05.2026 01:06
Last: 08.05.2026 01:06
Sources 1
About this happening:
The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
TCLBanker self-spreading banking trojan
Malware ActivityAbout this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
Timeline
-
22.12.2025 18:08 2 articles · 6mo ago
Koi Security discloses malicious npm package lotusbail
Initial DisclosureKoi Security identified lotusbail, a malicious npm package posing as a WhatsApp Web API library and a fork of WhiskeySockets Baileys, that steals WhatsApp authentication tokens and session keys, intercepts sent and received messages, exfiltrates contacts, media files, and documents, and pairs an attacker's device to the victim's WhatsApp account for persistent access.
Show sources
- Malicious npm package steals WhatsApp accounts and messages — www.bleepingcomputer.com — 22.12.2025 18:08
- Malicious npm package steals WhatsApp accounts and messages — www.bleepingcomputer.com — 22.12.2025 18:08