Overview
- Koi Security found the library is a functional fork of @whiskeysockets/baileys that routes WhatsApp Web traffic through a malicious WebSocket wrapper.
- The malware captures authentication tokens and session keys, messages, contacts, media, and documents before exfiltrating them to an attacker-controlled server.
- It hijacks WhatsApp’s device-linking flow with a hard-coded pairing code, giving attackers ongoing account access until unknown linked devices are removed.
- The package hides activity with custom RSA encryption, four layers of obfuscation, and 27 anti-debugging infinite-loop traps.
- Published in May 2025 by the account "seiren_primrose," it has over 56,000 downloads, including 711 last week, and researchers advise removal, device checks, and runtime behavioral monitoring.