Malicious npm Package in Baileys Fork: A Security Threat

Malicious npm Package in Baileys Fork: A Security Threat

Malicious npm Package in Baileys Fork: A Security Threat

The Xygeni Security Research Team has identified a malicious npm package, @dappaoffc/baileys-mod, which is a fork of the widely used WhatsApp Web API library @whiskeysockets/baileys. This package contains a runtime code injection that silently subscribes the developer’s authenticated WhatsApp bot session to attacker-controlled newsletter channels.

Technical Overview

The malicious package abuses the trust relationship between a developer and a commonly forked open source library. It presents itself as a modified version of Baileys, a popular WhatsApp Web API implementation widely used to build automation bots.

Runtime Injection Mechanism

The malicious logic inside this package lives in lib/Socket/newsletter.js, embedded directly within the module’s execution context. The attacker wrapped the injected block in an Immediately Invoked Function Expression (IIFE), which guarantees execution as soon as the module loads.

However, instead of triggering immediately, the payload introduces a delayed execution mechanism. After the delay expires, the payload performs a controlled sequence: it fetches a JSON file from a GitHub raw content URL, parses a list of WhatsApp newsletter IDs, iterates through the list, and calls newsletterWMexQuery(id, QueryIds.FOLLOW) for each entry.

Technical Comparison: Legitimate vs Injected Behavior

The following table compares the legitimate behavior of the Baileys library with the injected behavior of the malicious package:

  • Installation Phase: The malicious package validates Node.js version only, with no visible malicious behavior at install time.
  • Module Initialization: The malicious package exports a WhatsApp socket factory, with an IIFE that executes automatically on module load.
  • Execution Timing: The malicious package has an 80-second delayed activation, whereas the legitimate library has no delayed behavior.
  • Network Communication: The malicious package communicates with GitHub raw content, whereas the legitimate library communicates only through WhatsApp WebSocket protocol.

Dynamic Control Channel via GitHub

The newsletter ID list is hosted on GitHub, providing several operational advantages, including dynamic payload updates without publishing a new npm version, a trusted TLS endpoint that blends into normal developer traffic, and no attacker-managed infrastructure required.

Indicators of Compromise

Security teams investigating this malicious npm package should evaluate the following signals: outbound GET requests to raw.githubusercontent.com from WhatsApp bot processes, newsletter FOLLOW actions occurring without application logic triggering them, @dappaoffc/baileys-mod version 8.0.1 (and potentially 8.0.0), dependency alias redirecting libsignal, and runtime IIFE injection inside newsletter.js.

Detection and Mitigation with Xygeni

Xygeni’s Malware Early Warning (MEW) detected this package by correlating multiple signals, including an unexpected fetch() call inside a WhatsApp core module, outbound communication to GitHub raw content, delayed execution patterns embedded in runtime logic, and nested silent error handling.