Researchers at Socket have discovered two malicious NPM packages that pose as legitimate WhatsApp development tools but actually contain destructive code that deletes files from the developer’s system.
The packages, naya-flore and nvlore-hsc, were published in the NPM registry and have been downloaded more than 1,100 times since last month. Although Socket submitted removal requests and flagged the publisher nayflore, the packages are still available.
The same publisher has placed even more packages in the NPM registry, including nouku-search, very-nay, naya-clone, node-smsk, and @veryflore/disc. These do not currently exhibit any malicious behavior. However, an update could add malicious code at any time.
All packages mimic legitimate WhatsApp developer libraries used to build bots and automation tools around the WhatsApp Business API. Demand for such libraries has increased significantly recently as more companies deploy the WhatsApp Cloud API for customer communication.
The malicious packages contain a function called requestPairingCode, which would normally be responsible for the WhatsApp connection. In reality, this function retrieves a base64-encoded JSON file from a GitHub address. That file contains a list of Indonesian phone numbers that serve as a kill switch.
Sleeping function
If the user’s phone number is on the list, the malicious functionality is skipped. In all other cases, the code executes the command rm -rf *, which recursively deletes all files in the current directory. In addition, there is a dormant function, generateCreeds, which would be able to exfiltrate the victim’s phone number, device ID, status, and a hardcoded key. This function is commented out in both packages and is therefore currently disabled.
In addition to these NPM packages, Socket also discovered eleven malicious Go packages that use string array obfuscation to execute external payloads in the background during runtime. These packages launch a shell, retrieve a second-stage script or executable file from .icu or .tech domains, and execute it directly in memory. Both Linux CI servers and Windows workstations are targeted.
Most of these packages use typosquatting, where developers are misled by packages with names that closely resemble popular, legitimate libraries. Because many of these packages are still active, developers are advised to carefully check their dependencies before deploying them in their environment.