**Worrying WhatsApp Attack Can Steal Messages and Even Accounts: Here's How to Stay Safe**

Users of Node Package Manager (NPM) registry are being targeted with malware that takes over their WhatsApp accounts, steals messages, and contacts lists, experts have warned.

Cybersecurity researchers Koi Security recently discovered a fork of the popular WhiskeySockets Baileys project, an open source TypeScript/JavaScript library that provides a WebSocket-based API for interacting with the WhatsApp Web protocol. This allows developers to programmatically connect to WhatsApp as a companion device.

The malicious fork, named 'lotusbail', has all the same functionality as the legitimate project, but it also steals WhatsApp authentication tokens and session keys. Furthermore, it intercepts and records all messages, pulls contacts, media files, and all other documents, sending them to a third-party server.

"The package wraps the legitimate WebSocket client that communicates with WhatsApp," Koi Security explained in its report. "Every message that flows through your application passes through the malware's socket wrapper first."

When users authenticate, the wrapper captures their credentials. When messages arrive, it intercepts them. And when users send messages, it records them.

But perhaps most alarmingly, the package links the attacker’s device with the victim’s WhatsApp account through the app’s pairing feature. This means that even if the user removes the malicious NPM package, their WhatsApp account remains compromised until the link is manually disconnected.

The malware was sitting on npm for at least half a year, and during that time it amassed more than 56,000 downloads.

NPM is one of the world’s most popular public online registries hosting JavaScript packages published via npm. It allows developers to discover, download, and manage open source and private packages used in Node.js and JavaScript projects.

As such, it is constantly bombarded with all sorts of scams and hack attacks, from forked projects to typosquatted ones. To stay safe, devs are advised to be extra careful when downloading and running anything, even projects with thousands of downloads.

How to Stay Safe

To avoid falling victim to this type of attack, developers should take the following precautions:

  • Be cautious when downloading and running NPM packages, even if they have a high number of downloads.
  • Regularly check the npm package you are using for any updates or changes.
  • Use reputable antivirus software to scan your system for malware.

By taking these precautions, developers can protect themselves and their users from falling victim to this type of attack.

**Related Stories:**

* Best Antivirus Software for Your Computer or Mobile Device * NPM Hack: Forked Project Steals WhatsApp Authentication Tokens and Session Keys

**About the Author:**

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.