Security researchers are just now realizing that some genius decided to write a WhatsApp API library that's actually just a sneaky thief in disguise. "Lotusbail" is the name of this delightful package, which had racked up over 50,000 downloads on npm before anyone noticed it was quietly sucking all your personal and business data into its belly.
Because who needs security when you can have free functionality? This charming piece of code comes wrapped in a genuine-looking WhatsApp client library, making it the perfect Trojan horse for unsuspecting developers. As one Koi researcher so eloquently put it: "With over 56,000 downloads and functional code that actually works as advertised, it's the kind of dependency devs install without a second thought." Translation: we were too lazy to read the fine print.
The cherry on top is that this lovely package has been living its best life on npm for six whole months, accumulating all your sensitive info like it was going out of style. And guess what? It's still available for download! Because who needs security updates when you can just keep installing malicious code and hope for the best?